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^ ■ 1 Introduction 

^' 

^~~i • We present a proof of unconditional security of a practical quantum key distribution protocol. It is an 

(T^ I extension of a previous result obtained by Mayers |l|, |^ , which proves unconditional security provided that 

a perfect single photon source is used. In present days, perfect single photon sources are not available and, 
therefore, practical implementations use either dim laser pulses or post-selected states from parametric 
downconversion. Both practical signal types contain multi-photon contributions which characterise the 
deviation from the ideal single-photon state. This compromise threatens seriously the security of quantum 
f^ ' key distributions when the loss rate in the quantum channel is high |y, [J , ^ . Security of such practical 

t^^ I realisation has nevertheless been proven in g against restricted type of eavesdropping attacks. The 

^^ ■ salient idea used in Q is that data associated with multiple photon signals are revealed to a possible 

eavesdropper, without the legitimate user's knowledge. We show here that this model can be combined 
with Mayers' proof. The resulting extension guarantees unconditional security of a realistic quantum key 
1-5 ! distribution protocol against an enemy with unlimited classical or quantum computational power. 

By now, Mayers' proof has been followed up by other proof of the security of ideal single-photon 
quantum key distribution pi pi. Security assuming some restrictions on eavesdropper's attack can be 
found in |^, [l^, pl| . Security of protocols in which honest participants use trusted quantum computers 
^ I can be found in ]12| . 

(sJ ' Unconditional security of a protocol means a security against a cheater with unlimited computational 

power, quantum or classical. In other words, it means that there is no condition on the cheater. It does not 
mean that there is no condition on the apparatus used by the honest participants. This last interpretation 
. , would be equivalent to say that we know nothing about the protocol that is actually implemented. So, 

j^ ■ each proof of unconditional security must use a different type of assumptions on these apparatus. Mayers' 

original proof applies to an unrestricted eavesdropper's attack on the quantum signals, but assumes the 
source used in the protocol is perfect. In particular, it assumes that the source emits single photon 
pulses. In this paper, we present a derivation of the proof in which the last assumption is relaxed: we still 
consider sources that perform perfect polarisation encoding, but each signal carries now a random number 
of photons in the ideal polarisation mode. The random variables giving the numbers of photons in the 
pulses are assumed to be identically and independently distributed, and we require that an upper-bound 
on the probability that a pulse contains several photons is known. As in Mayers' original paper, there is 
no assumption on the quantum channel nor on the detection unit, except that, given an input quantum 
state of any signal, the detector's probability of detecting a signal does not depend on the choice of the 
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measurement basis. A more detailed discussion about assumptions in quantum cryptography together 
with a new approach to this problem, especially the problem of an untrusted BB84 source, can be found 

in fTI. 

This paper is divided into two parts. In the first part we define the assumptions of our proof, the 
protocol we refer to and the security notion. We then give the result of our proof which give the precise 
quantitative meaning of our security proof together. In that step the necessary parameters of the protocol 
leading to secure quantum key cryptography are given. We illustrate the results by giving the asymptotic 
formulas for the limit of long keys which show, how many secure bits the protocol will obtain for a given 
error rate of an experimental set-up as a function of the source parameters and the error rate. In the 
second part, we present the detailed proof of the statements of the first part. We have chosen to give 
all details of this proof to make it self contained, although it follows closely Mayers original work. The 
readers are invited to refer to the original paper |g] where a simpler situation was analysed, to get an 
insight into the main idea of the proof. 

2 Security in Quantum Key Distribution 

The role of key distribution between two distant legitimate parties, traditionally called Alice and Bob, 
is to generate a shared random binary string, called the private key, that is guaranteed to be known 
only by the legitimate parties. A non-authorised party, traditionally called Eve, should not be able to 
obtain any information about the private key. More precisely, for any eavesdropping strategy Eve chooses, 
the conditional entropy of the private key, given the data Eve acquires during the protocol, should be 
very close to the maximum entropy, corresponding to a uniformly and independently distributed key. 
One requirement for this is that the conditional probability of the private key given Eve's data must be 
very close to the uniform distribution. Note that it is not sufficient to impose that the private key be 
independent of the data Eve acquires: a key distribution protocol that returns a specific value for the 
private key with high probability does not provide any privacy, even if Eve is inactive during the key 
distribution. 

Quantum key distribution protocols do not allow Alice and Bob to share a private key in all cir- 
cumstances. For example. Eve can usually block signals between the two parties. But even if the signals 
arrive, Alice and Bob cannot always create a secure key using them. As shown in g, it is in principle not 
possible to create a secure key with the BB84 protocol (using ideal signals) once the error rate exceeds 
25 %. This is true for any post-processing of the data in the sense of advantage distillation or similar 
ideas. It is therefore characteristic for any full protocol (including the classical post-processing of the 
data) that it can deliver a secure private key only as long as the parameters describing the transmission 
of the quantum channel (like the error rate) are within a certain parameter region. 

Any protocol therefore provides a validation test that tells whether a key can be generated with 
unconditional privacy. A key is created only if the test is passed. Otherwise the session is abandoned. 
Naturally, one would like to find an entropic bound given the validation test is passed. However, it is 
known that such a bound is inappropriate for the protocol we consider in this paper (see for example 
0): there are simple attacks that give full knowledge about the private key, although with very small 
probability of success. It is therefore important to choose a good measure of privacy which nevertheless 
reflects our basic intuition. 

We follow Mayers' proof and define formally a key even in the cases that the validation test is 
not passed. For this purpose Bob formally chooses with uniform distribution a binary sequence as key 
whenever the test fails. We then bound Eve's entropy on this always defined key, conditioned on her 
knowledge, to be arbitrarily close to the maximal value. Naturally, in that case Alice and Bob do not 
share a key, but this is unimportant since they are aware of it. 

This choice of security notion assures that Eve's conditional entropy is close to the maximal amount. 



but this situation can arise from two different scenarios: either Eve apphes only gentle eavesdropping, 
which passes the validation tests and gives her basically no information, or she applies massive eaves- 
dropping, which basically all the time fails the validation test, but in the unlikely event of passing the 
test, it might reveal substantial amount of information. Nevertheless, in both cases the key will be safe, 
since in the first scenario Eve has no information on the key, while in the second case, the probability of 
success will be, in a quantified way, extremely low. 

Another important aspect of security of quantum key distribution protocols is the integrity or the 
faithfulness of the distributed key. We must require that whatever Eve does, it is very unlikely that Alice 
and Bob fail to share an identical private key while the validation test is passed. One way this situation 
might arise is the error correction procedure (which is a typical ingredient of a full protocol) failing to 
correct all errors, for example because of an unusual error distribution. 

Finally, we consider families of protocols for which a parameter, quantifying the amount of a resource 
used in a protocol, characterises its security. Usually, the higher this security parameter's value is, the 
higher is the level of security, but also the amount of a resource required by the protocol. In the protocol 
we consider the number of quantum signals sent by Alice as security parameter. 

We now give a formal definition of security. For this we will introduce some notation. A random 
variable will always be denoted by a bold letter, and values taken by this random variable by the corre- 
sponding plain letter. Only discrete random variables will be considered in this paper. The probability 
distribution of a random variable x is denoted by P^, i.e. Px{x) = Pr(a; = x) is the probability that 
X takes the value x. The joint distribution of two random variables x and y is denoted by Pxy, i-e. 
^xyix, y) = Pr(a; = x,y — y). The conditional probability of x given an event £ with positive probabil- 
ity is denoted by Px|f , i-e. Px\£{x) = Vv{x = x\£). The conditional probability oi x given that y takes 

a value y is denoted by Vx\y=y whenever Py(y) > 0, i.e. Y'x\y=y{x) = Pr(a; = x\y = y) = p" f '-.^ , 
whenever Py (y) is positive. Let / be a function defined on the image of x. When no confusion is possible, 
the notation / will be adopted to denote the random variable J{x). 

We will denote by k the random variable giving the private key generated in a key distribution 
session. The key is a string of m bits where to is a positive integer specified by the legitimate users. That 
is R takes value in {0, 1}™. We denote by valid the random variable giving the outcome of the validation 
test and by share the random variable telling whether Alice and Bob share an identical private key. Given 
an eavesdropping strategy chosen by Eve, we denote by v the random variable giving collectively all data 
Eve gets during this key distribution session. Henceforth, given the eavesdropping strategy adopted by 
Eve, V is called the view of Eve, and we will denote by Z the set of all values v may take. 

We adopt the following definition of security for quantum key distribution protocols. 

Definition 1 Consider a quantum key distribution protocol returning a key k G {0, 1}™ regardless of the 
outcome of the validation test, where the length of the key, m, is fixed and chosen by the user. We say 
that the protocol has (asymptotic) perfect security if and only if: 

• the protocol is parametrised by a parameter N taking value in IN called the security parameter, and 

• there exists two functions ei, €2 : IN x IN ^ R+ such that ei{N,m) and e2{N,m) are vanishing 
exponentially as N grows (i.e. there exist a > 0, P > 0, Nmin G IN and a function / : IN ^- R"*" 
such thatVN > N„iin, ei{N,m), e2{N,m) < e^°^^ fi'/n)) , o,nd 



• there exists a function Nq : IN ^ IN such that, for any strategy adopted by Eve, 

VTO,ViV > No{m), 

(privacy) H{k,\v) > m — ei{N,m) (1) 

(integrity) Pr(^share and valid) < €2{N,m) (2) 



where V is Eve's view given her strategy, and H(k,\v) — — X]/?u|p- (/^ t,)>o -P'5i'('*' ^) ^"^§2 Pk I u=t)('5) 
is the Shannon entropy \l2, \lq, \lq j of the key k given Eve 's view v . 

We will show that the protocol presented in the next section will be secure according to this definition. 
In particular, this means, that the protocol creates a key of length m out of N signals. Then, by choosing 
N large enough for fixed values of m, we can always assure that Eve's conditional entropy is arbitrarily 
close to the maximum amount (privacy) . Additionally, with a probability arbitrarily close to unity, Alice 
and Bob share the key given that the validation test is passed (integrity). 

3 The protocol 

In this section, the quantum key protocol considered in this paper is described. It is an adaptation of the 
BB84 n^ protocol which takes into account the usage of an imperfect photon source. Note that the usage 
of imperfect source has been discussed as early as the first experimental implementation of BB84 Il8] in 
the framework of restricted types of eavesdropping attacks. We first make precise which assumptions on 
the quantum channel we adopt in this paper. Then we give a formal description of the protocol. 

3.1 Required technology 

In the original proof B , Mayers considered a practical realisation of quantum key distribution prone to 
noise and signal loss. However, the legitimate parties were assumed to be using a perfect single photon 
source - a source that emits exactly one photon in the chosen polarisation state. No restriction was 
imposed on the photo-detection unit used in the protocol, except that given an incoming signal, the 
probability of detection was required to be independent of the basis used to measure the signal. It was 
argued in J2| that Eve can take advantage of a detection unit in which the probability of detection depends 
on the basis chosen for the measurement, and we will adopt in this paper the same restriction regarding 
the detection unit. 

The new feature in this paper is that we allow the use of imperfect source of photons in the following 
sense: given a polarisation state specified by the user, the source emits photons exactly in the specified 
polarisation state, but in a mixture of Fock states. That is, the source emits n photons in the given 
polarisation state with probability Pn, where n e IN and pQ,pi,p2, ■ ■ ■ is a probability distribution. The 
user does not have to know how many photons were actually emitted. The only restriction we impose is 
that an upper bound Mmax on the number of emitted signals containing several photons is known within 
a confidence limit given by the (small) probability Pr{M > Mmax)- We restrict ourselves to provide 
this bound for signals with identically and independently distributed multi-photon probability pm- In 
that case we can choose M^ax = {pm + tm)N and obtain Pr{M > M^ax) < exp(— r^A^), as explained 
below. Other methods for providing M^ax and Pr{M > Mmax) can be used, where the corresponding 
terms replace the here derived and easily identifiable expressions in the subsequent results. 

The authors believe this relaxation of requirement has practical importance, since single photon 
sources are not yet available, due to technological limitations. Furthermore, it has been pointed out g 
that in most experimental implementations of quantum key distribution, the quantum signals transmitted 
by the legitimate parties can be described as mixtures of Fock states. 

As an example, consider a practical source emitting a coherent state of light in a given polarisation: 

1") = ^ ' z2-m\^) (3) 

where | j), j e IN is the number state - or Fock state - describing a state of j photons in the considered 
polarisation (Therefore, for a ^ 0, a coherent state has an indefinite number of photons). If we write 
a = \a\e'^'^, \a\ and are called amplitude and phase of the coherent pulse, respectively. 



In general, the phase of a pulse is completely unknown, or can be rendered random thanks to a 
phase randomisation technique. Since the phase is then uniformly distributed, a pulse state in a given 
polarisation is described by the density matrix: 

Psource = ^ f \\a\e'*) {\a\e'* \dcb (4) 
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Therefore, the signals emitted by a coherent source of light becomes a classical mixture of Fock states 
due to the lack of a phase reference. Another example of practical source is a source emitting thermal 
states of light. Such states are already mixtures of Fock states. The above de-phasing argument applies 
in general for any signal state. Further studies of source characterisation can be found in p9| . 
We summarise the assumptions on the quantum setup adopted throughout this paper: 

• The legitimate parties use a source of photons that sends a mixture of Fock states p — X]^o P" n)(n 
in the polarisation state exactly as specified by the user. The numbers of photons in the pulses 
emitted by the source are assumed to be identically and independently distributed. The upper 
bound Mmax on the emitted number of multi-photon signals during the protocol is known by the 
legitimate parties to hold except with a negligible probability Pr{M > Mmax)- 

• The legitimate parties use a photo-detection unit such that for any given signal, the probability of 
detection is independent of the choice of the measurement basis. 

• The signals and Alice's and Bob's polarization bases are chosen truly at random. 

• Eve cannot intrude Alice's or Bob's apparatus by utilizing the quantum channel. She is restricted 
to interaction with the signals as they pass along the quantum channel. 

3.2 The protocol 

The quantum key distribution protocol under consideration based on Bennett and Brassard's BB84 p^ 
is defined. It comprises three stages: agreement on parameters of the protocol and security constants, the 
transmission of quantum signals, and the execution of a classical protocol together with the validation 
test. 

Pre-agreement 

1. Alice and Bob specify: 

• 777,, the length (in bits) of the private key to be generated. 

• N, the number of quantum signals to be sent by Alice. This integer is the security 
parameter of the protocol. 

• S, the maximum threshold value for the error rate for the validation test. 

• rjnin, the minimum threshold value for Bob's detection rate (1 > rmin > Mmax/N). 

• pfl, the proportion of the shared bits that must be publicly announced for the validation 
test (0 <pfl < 1/2). 



• Tec^ Tf, tm , T, and Tp the security constants of the protocol. They are smaU strictly 
positive real numbers chosen so that 5 + t^c < 1, i5 + t/ < 1, Tmin > Mmax/N, f < -—j^, 



Tp < 1. 



Quantum Transmission 



2. Alice and Bob initialise the counter of the signals as i = and Bob initialises the set of detected 
signals as V = {}. Then until the pre-agreed number of signals have been sent {i = N), the 
following is repeated 

(a) Alice and Bob increment i by one. 

(b) Alice picks randomly with uniform distribution a basis at € {+, x} and a bit value gi G 
{0,1}. 

(c) Alice makes her source emit a pulse of photons in the state | '^{gi,ai)) where | ^(0,+)), 
I ^(1, +)), I *(0, x)) and | \1/(1, x)) correspond to single photon states of polarisation an- 
gles 0, 7r/2, 7r/4 and -n/4, respectively. We recah that {| *(0, +)), | *(1,-|-))} forms an 
orthonormal basis of Hphoton, the Hilbert space for single photon polarisation states, and 

I *(o, X)) . i"^"-"^);j"'^-"^) , I *(i, X)) . i"^°'"^H-^^^^+)) . 

(d) Bob measures Alice's pulse in the basis h where h G {+, x} is chosen randomly at each 
time. If at least one photon is detected, the index i is added to the set V of detected 
signals' indexes, and the outcome of the measurement is recorded as hi G {0, 1} (if the 
detection unit finds photons in both modes hi = 0, 1, the value for hi is chosen randomly 
in {0, 1} by Bob). If no photon is detected at all, hi is assigned the value _L. 

Note that the random choice of basis in step (d) might be provided by a beamsplitter (or a coupler) 
followed by two measurement setups, each measuring the photons in the basis + and x respectively. 
It might also be given by an external random number generator acting on a polarisation rotator. 

Classical part 

We denote by n the number of signals detected by Bob, i.e. n = |I?|, and by a = (oi, . . . , qn) S 
{+, x}^, b = ih, ...,bN)e {+, x}^, g = (51, . . . , ffA,) G {0, 1}^ and h = (/ii, . . . , /ia^) € {0, 1, ± 
}^ the outcome of the quantum transmission (Step g). Restrictions of these vectors onto some 
specified subset X c{l,...,N} will be denoted by a{X), b{X),g{X), h{X). 

3. Bob announces the set of detected signals by V to Alice. 

4. Bob picks up randomly a subset of signals which will be revealed for the validation test R C 
{1, . . . , N} , where each position i e {!,... , N} is put in R with probability p^. 

5. Bob announces the revealed set R and the measurement basis of all signals b to Alice. 

6. Bob announces the bit values of the test set /i(I? n R) to Alice. 

7. Alice computes the set of corresponding signals il = {i G V : Ui = bi}, the set of corresponding 
test signals T = no R and the set of untested corresponding signals E = fl O R. We denote 

\E\ by I. 

8. Alice announces the polarisation basis of all of her signals a, thus announces implicitly fl and 
E as well. The bitstreams g{E) and h{E) are usually called sifted keys. 

9. Alice chooses a linear error correcting code [^ |l^ capable of correcting [(^ + Tec)(l — Pfl)|ri|] 
errors in E. Its parity check matrix, F, is a r x I binary matrix, where r is the number of 
redundant bits required to correct \{d + Tec)(l — Pfl)|r2|] errors in I bits using the linear error 
correcting code. Alice announces the syndrome s = Fg[E) (mod 2) to Bob. 



10. Receiving the parity check matrix F and the syndrome s, Bob runs the error correction on his 
sifted key h{E) and obtains h'{E). If there are less than \{5 + Tec)(l — Pi?)|fi|] errors in E, 
Bob corrects successftilly all the errors and obtains g{E), i.e. h'{E) ~ g{E). 

11. Alice picks up randomly with uniform distribution a m x I binary matrix K to which we will 
refer as the privacy amplification matrix. Alice announces K publicly. 

12. Receiving the privacy amplification matrix K, Bob computes k' = Kh'{E) (mod 2). 

Validation test 

Alice runs the validation test. 



13. Alice tests whether the following conditions are all satisfied: 



Bob's detection rate is greater than 



I.e. 



n > rrainN. 

• The size of V complies to the following inequalities: 
^ > {5 + Tf){l-pn)n, 



where 



m + r < L, 



L 



1-Hi 



1 ~PR 



2{S + Tf)^^n 



f (n - Mmax) 



(7) 

(8) 
(9) 

(10) 



is a probabilistic lower bound on the number of signals on the set E which is due to single 
photon signals. 

• The number of errors in the tested set T is lower than the maximally allowed value. More 
precisely, 

|{z e r : g, ^ h,}\ < d, (11) 

where d — S\fl\pii. 
The validation test is passed if and only if all the conditions above are satisfied. The private 
key is the bitstream obtained by Alice as follows: 

14. Alice computes the private key, defined as: 

• K = Kg(E) (mod 2) if the validation test is passed, 

• a m-bit string k chosen randomly with uniform distribution each time the validation test 
is not passed. 

This protocol defines a key regardless whether the validation test is passed. The choice of the 
security constants used in the protocol is clarified in the following section. 



Note: The matrix K can be prepared in advance, and Eve could know its form before the transmission 
of the quantum signal. More precisely, Alice and Bob could pre-agree on some set of matrices K for 
various values of m, and /. It is the special pro perty |4| of F and K which is required here, and which will 
be introduced and explained in the section 5_^. This property is satisfied automatically if we choose K as 
random binary matrix, as specified in the protocol, and the constraint of Eq. g is satisfied. Our security 
proof can therefore immediately adapted to other choices of F and K together with their respective 
constraints replacing Eq g to satisfy the underlying required property ^ of section 5_^. 



4 Security of the protocol 



In this section we present the security statement for the protocol described in |3.2| . If follows the structure 
of Def. 1. The proof of the security statement is given in the remainder of the paper. 

Theorem 1 The expected conditional Shannon entropy of the key k returned by the protocol described 
in Section 5J given Eve's view v is lower bounded, for any N > 0, by 



H{k,\v) > m — ei{N, m) 
where the difference ei (iV, m) between the bound and the maximal value ni is given by 



(12) 



ei{N,m) 



2 ( m + — ) h{S,Tf,pR,n) 



2\/2 ( ™+ J^ ) mh{5,Tf,pR,n) 



+ \l9{5iTf,pB.,n] 



where 



9iS,Tf,PR,n) 



exp 



2(5 



I f I 71 



.N 



Tf 



y 



25 



Tf 



HS,Tf,pR,n) = 2J ^^g{S,Tf,pR,n) + ^g{6,Tf,pR,n). 



(13) 



(14) 



(15) 



Besides, the conditional probability that Alice and Bob share an identical private key given that the 
validation test is passed is lower bounded for any TV > by: 



Pr(^share and valid) < e2{N,m), 



where 



e2(iV, to) = min 

Tfie(o,i/2) 



2S^^Lpm-^n)r„,^„N+2{^,^^Y _^ ^ 



-2r.1r„ 



-.N 



(16) 



(17) 



The functions ei{N,m) and e2{N,m) decrease exponentially with N, as required by the definition 
of security (Definition ^. 

The parameters, the number of emitted signals N out of which the key of length m is created, are 
chosen in accordance with the performance of the set-up used for preparation, transmission and detection 
of the quantum signals in view of Equation 0. As the number of these transmissions goes to infinity, we 
can neglect statistical fluctuations of the signal properties and describe the ratio between detected signals 
and sent signals by a detection rate po = n/N and rmin = n/N . All security constants t^c, Tf, Tp, f and 
tm can be chosen to be arbitrarily small, and the asymptotic key generation rate out of one bit of the 
sifted key reads is given as the length of the sifted key over that of the final key in terms of the observed 
error rate 6 as 



TO 

T 



Pm 

PD 



I -Hi 



25 



I _ EM. 

PD 



Hii5) 



(18) 



Here we used we used asymptotic equalities for the sifted key length I ~ — ^ 
\6l~\. Furthermore, we made use of the Shannon Umit r{\5l~\J) ~ lHi{6) 



n and \{5+Tec){l-PR)\^W 



Eq. @ 



The overall rate of secure key bits per sent signal m/N can be calculated directly by multiplying 
fsl') with the asymptotic formula 



I 

N 



1 



PR 



-PD ■ 



(19) 



The ratio G between key length and received signals m/n can be obtained by multiplication with l/n ~ 
(1 — pji)/2. Moreover, in the limit of arbitrary long keys we can use the limit pn — > since even testing 
a 'small' fraction of the long key will have statistical significance sufficient for our purpose. Examples of 
the resulting values of G as a function of distance are shown in Figure U for various wavelength. To put 
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Figure 1: Asymptotic gain rates using a simulation with the help of experimental parameters. The 
parameters are drawn from Bourennane et al. ||20| for l.bfim, Maraud and Townsend [ [2l| for 1.3/im and 
Townsend || for 0.8p.m. 

our results into context, we relate our results in Fig. g to those obtained for the limited security level of 
security against individual attacks. Note that the difference between the two results is not substantial. 
More importantly, the difference might be due to the proof technique used in our result. Our results 
should therefore not be interpreted as to claim that coherent attacks give more information to Eve than 
individual attacks do. Furthermore, we lay out the relevant bounds on improved security proofs. The 
rate is bounded due to the photon number statistics of the source, resulting in 



Gbound = -Z {PD 



■ Pm) 



(20) 



as shown in ||6|. We recover this bound by setting J = in our asymptotic bound. 

The distance, over which secure communication is possible, is bounded by the detector noise. As 
shown in Brassard et al. H, the minimal transmission efficiency Fwcp in the situation of Poissonian 
photon number distribution of the source is given by 



WCP 



VB 



(21) 



where ds is the dark count probability of the detector per signal slot and tjb is the single photon detection 
efficiency of the detector. The corresponding distance (given the parameters of the experiment) is shown 
in Fig. |. 

We have therefore a clear picture of the rates and distances which are shown to be secure by our proof 
(the area below the curve 'coherent' in Fig. g), those that are shown to be insecure [^, ^ (the area outside 
of the two bound curves). Note that the area between the 'coherent' line and the two bounds is the area 
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Figure 2: We use the parameters of Bourennanc et al. |Q for 1.5/im to show the secure gam rate per 
time slot using our results ('coherent'). For comparison, the corresponding results for security against 
individual attack |q] are given. The rate is bounded due to the Poissonian photon number distribution of 
the source and the loss in the quantum channel ('rate bound') as shown in [p|. The combination of the 
source statistics, the loss and detector dark counts, there is a fundamental bound on the distance over 
which secure QKD could be proven with more advances proofs than ours, as shown in Brassard et al. g 

of the unknown. Future classical protocols taking on the error correction and privacy amplification tasks 
from our protocol in a different way (but leaving the quantum transmission and measurement untouched) 
and/or improved security proofs can proclaim more of this area 'secure'. 

5 Proof of the main result 

The structure of the proof follows. In the first section, an important feature of the distribution of errors 
during the quantum transmission is presented. As an immediate consequence we can proof the integrity 
of the protocol, meaning that when the validation test is passed, Bob shares the private key with Alice 
with high probability. The second section deals with the multi-photon signals' issue. It gives an upper 
bound on the number of bits a spy can get by an attack called photon number splitting attack. In the 
third section, we explore the method of privacy amplification implemented by binary matrices and taking 
into account linear error correction tools. It turns out that the privacy of the protocol is equivalent to 
the "privacy" in a modified protocol. This equivalence is proved in section 5.4, and the corresponding 
mathematical model is provided in section 5.5. Finally, the proof of privacy of the modified protocol is 
given. 

There are several points where our proof deviates from that of Mayers M. Most notably this 
difference can be seen in 5.3 where the deviation between the proofs shows up quantitatively . However, 
changes in the protocol (in our protocol the number of transmitted signals is fixed which are not necessarily 
all detected, and not the number of detected signals, as in |l|]) make it necessary to check in detail that 
the basic proof idea of Mayers carries through. 
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5.1 On the distribution of errors and the proof of integrity 

We start with a property regarding the distribution of errors which is based solely on basic probability 
theory. It allows to make statements on the key derived from the set E based on the counting of errors 
in the set T. As an immediate application this property allows us to proof the integrity of the QKD 
protocol. Note, that in a practical run of quantum key distribution, we could omit this estimation, since 
we can learn the exact number of errors in E during the later stage of error correction. However, the kind 
of estimation presented here serves a second purpose, which is used later on in our proof. This purpose 
is to make a statement about the eavesdropping strategy and its expected error rate from the observed 
error rate. Let us explain this by an example: If Eve implements an intercept/resend attack where she 
measures Alice's bit in a randomly chosen signal basis and she resends a state to Bob corresponding 
to her measurement result, then she might be lucky an choose always the correct signal basis. In that 
(unlikely) event, she would cause no errors while obtaining full information on the key. Indirectly, the 
property below quantifies the idea that the observed numbers of errors will belong to a typical run of the 
protocol. 

Property 1 Let S be a set of finite size, s. Let C be a randomly chosen subset of S. The random 
variable giving the choice of C is denoted by C. Let A and B be two subsets of S chosen randomly as 
follows: 

L Each element in S is put (exclusively) in A or B or neither of these sets with respective probabilities 
PA, Pb and 1 — [pA +pb)- That is, the random variables giving the set to which the indexes in S 
belong to are independently and identically distributed. 

2. Furthermore, the random variables giving the set to which indexes in S belong to are independent 
of the random variable C . 

We denote by A, B the random variables giving the set A and B, respectively. Then for any positive 
real numbers 6, e such that 0<S<6 + e< I, 

Pr(|AnC| <SspA and \B nC\ > {S + e)spB) < f{5,e,pA,PB,s) (22) 

where 



f{S,e,pA,PB,s) = exp 



-e'^{inm{pA,PB})^s + 2 



26 + e " L^-'^"J/ I 2(5 



(23) 



Proof For any subset C of S, given C — C, each element of C is either in A or in i? with respective 
probabilities pA and ps. 

Now c = \C\ is either smaller than [{S + |)sj or bigger than \{S + |)s] . 

• If c < [{6+ f )sj , let C ^ CUD where D is some subset of 5 \ C such that \C'\ = c' = [{5 + §)sj . 
Then C C C", and 

Pr(|S n C| > ((5 + e)spB\C = C) < Pr(|B C^C\>{5 + e)spB\C = C). (24) 

Furthermore, 

{S + e)spB = ^Pb{5 + |).s > (1 + ^ Wc', (25) 
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and using the Property [l6| from the Appendix for the set B and the set C", 



Pr{\BnC\>{5 + e)spB\C^C') < Pr(|SnC|>(l 



2(5 + e 



)PBC'\C = C') (26) 



< 



exp 



epB 



.2(5 + e. 
< f{^,<^,PA,PB,s), 
since {inm{pA,PB})^ < P% and c' > ((5 + -f) s — 1. Of course this imphes that 

Pr(|AnC| <6spA and |B n C| > {5 + e)s\C ^ C) < f{5,e,pA,PB,s) 

If c> [((5 + f)s], then 

e 






PAC 



and using the Property 16 for the set A and the set C, 



Pr{\Ar]C\<dspA\C^C) < Pr(|AnC|< 1 



2,5 



PAc\C = C) 



< exp 



-2c 



PAe 



Thus 



.2^ + e. 
< f{^,<^,PA,PB,s), 

since (min{p^,ps})^ < Pa — 1 ^'^^ c > ((5 + |) s > ((5 + ■§) s — 1. Again, this imphes that 

Pr(|AnC| <SspA and |B n C| > {5 + e)s\C = C) < f{S,e,pA,PB,s). 

We conclude that for any C, 

Pr(|AnC| <<5spAand |JBnC| > {6 + e)s\C ^ C) < f{6,e,pA,PB,s). 

Pi{\A r\C\< 6spA and \BnC\>{S + e)spB) 

= ^Pc(C)Pr(|AnC| <5spA and |BnC| > [5 + e)spB\C ^ C) 
c 

< f{^,<^,PA,PB,s), 



(27) 
(28) 

(29) 
(30) 

(31) 

(32) 
(33) 

(34) 
(35) 

(36) 

(37) 
D 



which concludes the proof. 

An immediate consequence of property m is that the error rate in the sifted key is not significantly 
higher than the error rate observed by Alice and Bob during the validation test. This implies the integrity 
of the protocol, as defined in Dcf. || or more formally: 

Property 2 The joint probability that Alice and Bob fail to share an identical key and that the validation 
test is passed is lower bounded by: 



where 



e2(iV, rn) = min 

Tf2e(o,i/2) 



Pr(^share and valid) < e2{N,m) 

2Ffe:^'ePR(5-^fi)'-™-^+2(23Tfe:)' + e-2r2r„,„Ar 



(38) 

(39) 
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Proof We have seen that Ahce and Bob run an error-correcting scheme capable of correcting \{6 + 
Tec)(l — p_R)|5in errors in E. Thus Bob shares exactly the same key after the error correction step if there 
are less than {d + Tec)(l — p_R)|ri| errors in E. Given that $1 = ^7 where J7 C {1, . . . , N}, the probability 
that the validation test passes while there are more than {6 + Tec)(l — Pfl)|^| errors in E is bounded by: 



PriTiT, S\n\pR) A -^V{E, (S + re,)|0|(l - pn))) 

= Pr(|rnc| < s\n\pR and \E n c\ > {6 + T,,)\n\{i - pr)) 

< f{6,Tec,PB.,l-PR^,\^\) 



< 



exp 



2(5 



-ripj,\n\ + 2 



2(5- 



(40) 
(41) 



using the above property for 5 = 51 and where C is the random variable giving the set of discrepancies 
between Alice's bits g{fl) and Bob's bits h{il) on 57. Indeed, R is independent of C, and consequently 
the random variables giving the set (E or T) to which the indexes in f2 belong to are independently and 
identically distributed (Pr(i £ E\i e 51) = (1 — pr) and Pr(i e T\i e 51) = pr), and independent of 
C . The above implies that the probability that the error correction fails to reconcile Alice's and Bob's 
sifted keys while the validation test is passed is upper-bounded by an exponentially decreasing function 
of |51|. Now, each index in T) has probability 1/2 to be put in the set il. Let tq be a constant obeying 
< tq < 1/2. Suppose we are given that n — n for some positive integer n. Using Property Hq in the 
Appendix, the probability that there are less than (i — Tu)n is bounded by: 



Pr(|0| < i--Tn)n\n^n)<e- 



-2T„n 



(42) 



Therefore, 

Pr(^share A valid) 

< Pi (v{T,6\n\pR) A ^ViE,{d + T,. 

< 



\mi~PB)) 



n > r„ 



rN 



(43) 



Pr ( P(T, 6\n\pR,) A -P(^, ((5 + Tec)\n\{l - pr)) \n\ >{-- Tn)n , n > r„,„,N 



PT{\n\<i--rn)n 



n > r„ 



.N 



< 



cP'H(^-rf,)r,„„JV-H2(^jI^)' 



^N 



(44) 



since n > rminN if the validation test is passed. Since this equations has to hold for all values rji G 
(0, 1/2), we have especially 



Pr(^share A valid) < min 

rne(0,l/2) 



:-Lplik-rn)r„.^r.N+2{^^^Y _^ ^ 



-2TAr„ 



zN 



(45) 



This concludes the proof. 

5.2 On multiple photon signals 

Let A — {1, . . . , N} be the set of indexes of all signals Alice sent. Each signal Alice sends contains zero, 
one or more photons, with respective probabilities denoted by pv, Ps and pM- Alice does not know how 
many photons she actually emits in each individual pulse. However, a potential eavesdropper Eve can 
learn the actual number of emitted photons without disturbing the quantum signal, thanks to a quantum 
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non demolition measurement (we assume no technological limitation for the enemy). Let's denote by V^ 
S and M the set of indexes of signals containing zero, one and more photons, respectively. Therefore, 
y U 5' U M = ^ and the set V, S and M are disjoint. We will denote by E = {V, S, M) this partition of 
A. We will deal with the worst case scenario in which the partition E is unknown to Alice, but perfectly 
known to Eve. 

In the following sections, a lower bound on the number of bits in the sifted key not arising from 
multi-photon signals (that is |-EnM|) will be required. Most of practical implementations of quantum key 
distribution today use a quantum channel with high loss rate, due to technological limitations. This loss 
rate must be taken into account to establish the required lower bound. For, Eve could replace secretly 
the quantum channel by a perfect quantum channel without loss (again, we assume no technological 
limitation for Eve). Eve might then stop signals containing only one photon, as long as the resulting loss 
rate of the quantum channel does not exceed significantly the expected loss rate of the original channel. 
By doing so. Eve increases the proportion of bits arising from multi-photon signals in the sifted key, 
without being noticed by the legitimate users. Now if a signal sent by Alice contains several photons. 
Eve can split off one photon from the pulse without disturbing the polarisation of the remaining photons. 
She stores the stolen photon until bases are announced and learns deterministically the corresponding 
bit by measuring it in the correct basis. This attack is usually referred to as the photon number splitting 
attack P, 0|. It is in view of this attack (in a slightly different context) that we will need to estimate the 
number of bits in the sifted key that are not arising from multi-photon signals. 

It is possible to give a probabilistic lower bound on the number of bits in the sifted key that are 
not arising from multiple photon signals, provided that an upper-bound on the probability pM is given. 
More precisely. 

Property 3 Let 's denote by I the number of bits in E that are not arising from multi-photon signals, i. e. 
I = \E f] M\. We denote by I — \E D M\ the corresponding random variable. We recall that we defined 
the random variable Imin o-s: 



1 - Pi? 

z ■'■ 



(n - Mraacc) (46) 



where the security constants tm o,nd f are strictly positive real number such that M^ax/N < rmin o,nd 
~J" — f > 0. Then the joint probability that n > rminN and that I < Imin is bounded by: 

Pr(f < Tmin A n > r„„„iV) < e-'^'^^--^-'''—^ + e-^^-^ (47) 

Proof We consider the worst case scenario in which all losses and errors are caused by Eve's 
intervention on the quantum channel. Obviously, in order to minimise /, Eve intervene in such a way 
that M C V. 

Suppose we are given that Bob detected n — n signals and that M = M . Then there are at least 
n — \M\ signals in T) that are not arising from multi-photon pulses. Now, each of these non-multiphoton 
signals in T> has probability --§^ of being put in the set E. Therefore, the probability that there are less 
than [ ^i'" — fl [n— \M\) signals in the sifted key not arising from multi- photon signals is bounded by: 

Pr [l< ^—^ -T {n- \M\) n = n, M = A/") < e-2T^(n-|J\/|) ^^g^ 

using Property |l6| in the Appendix. 

Now, the marginal probability that Alice sent more than (jjm + tm)N multi-photon signals is 
bounded using Property |l6| in the Appendix: 

Pr(|M| > {pM + tm)N) < e-2-M^ (49) 
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since each signal Alice sends has probability pu of being in M . 

Note that \J—§^ — t] {n— \M\) > Ij^in whenever | Af | < {pm + tm)N . Therefore, given that n — n, 
the probability that there are less than Imin signals in the sifted key that were not emitted with several 
photons is bounded by: 

Pr(r<r™„|n=:n) < Pt{\M\ > {pM + tm)N \n = n) + 

+ Pr{T< Xnin and \M\ < {pm + TM)N\n ^ n) (50) 

< Pr(|M| > (pM + tm)N \n = n) + e-^^'^"-^P"+^"')^\ (51) 

Multiplying both side by Pti('t-) and summing over n > r^i^N , we get: 

Pr(r< Xnin A n > r^,nN) < Pr(|M| > {pM + tm)N An> r„HnN) + 

+ J2 e-2-'(«-(PM+-M)^)p„(n) (52) 

">r,„i„7V 

< Pr(|M| > {pM + tm)N) + e-2-'('-™."^-(PM+-*^)^) (53) 

which concludes the proof. □ 



5.3 On privacy amplification 

In this section, diverse notions used in connection with privacy amplification are defined. In particular, 
we define d^, the minimal weight of a privacy amplification code, used in conjunction with an error- 
correcting code and an imperfect source. Finally, an important probabilistic lower bound on this weight 
is proved. This bound will be used in the last part of the proof. It is this minimal weight which will keep 
track of the multi-photon signals. The changed estimation of the minimum weight is therefore the most 
important change of this proof as respect to Mayers proof Q , although other details need to be adapted. 
The privacy amplification is specified hy amxl binary matrix K . The linear error correction code is 
specified by a r x ^ binary parity check matrix F. We introduce some notations. Let G be the {r + m) x I 
matrix: 



G = 



F 
K 



(55) 



For any matrix A^ Ai^\ denotes its z-th row and A^^' its i-th column. 

Recall that I = |i? n M| is the number of signals in E that are not arising from pulses sent with 
several photons. 

Let G be the {r + m) x I matrix obtained from G by removing the columns G'^^\ i € AI E, 
corresponding to the multi-photon signals. Equivalently, G is the matrix formed by the I columns of G 
corresponding to signals in _E n M . Let G be the (r -I- to) x (Z — I) matrix formed by the {I — I) columns 
G^*-* , i & ED M. Similarly, we define F, K obtained from F, K by removing the / — I columns F*^') , G*^*-* , 
i £ E r\ M respectively. And F, K are the matrices formed by the I — I columns F'^^\ G^'\ i £ E (1 M 
respectively. Thus 



G = 




G = 



F 

k 



(56) 
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Let Q be the set of linear combinations of rows of G. Let G* be the set of linear combinations of 
rows of G which contain at least one row of K, i.e. 




^ ZiG(i) (mod 2) : z € {0, iy+"\ Zj = 1 for at least one j G {r + 1, . . . r + m} ^ . (57) 

We define C as: 

C-{fG {0,1^ : Gf =o} = (^) . (58) 

Note that C^ = G- We define the minimum weight of G* as the integer: 



Equivalently, 



miji w{x). (59) 



min ^ w{ifF + iFK). (60) 



ue{o,i}'-,iTe{o,i}'"\{o} 



The minimum weight is an important characterisation of the combination of the error correction code 
matrix F and the privacy amplification matrix K. It denotes the minimum number of signals contributing 
to key bits or parities of sets of key bits after taking into account publicly known parities from the error 
correction code and the knowledge from multi-photon signals. We need a probabilistic bound on this 
quantity. Here we will derive it for the case of random coding where ii" is a random binary matrix, but we 
would like to point out that other suitable choices for K are indeed possible, and might lead to increased 
performance of the protocol in terms of the yield of secure bits. The important property to be fulfilled is 
property |. 

We approach the bound on d^ via the following lemma taken directly from g : 

Lemma 1 Let k, a and b be positive integers. Let A be any a x k binary matrix. Let B be a by. k binary 
matrix, picked at random with uniform distribution. We denote by B the corresponding random variable. 
Let dAB be the minimum weight of linear combinations of rows of A and B that contain at least one row 
ofB: 

dAB ^ min w{iFA + v^B). (61) 

tre{o,i}'',t'6{o,i}''\{o} 

Then for any positive real number x such that x/k < 1/2 and for any positive real number t, 

^<l-H,{^)-T ^ Pr{dAB<x)<2-^'^ (62) 

where Hi is the binary entropy function. 

Proof of the lemma Let G be the {a + b) x k matrix defined by: 

C=(^). (63) 

Define the real number R as R = kH^^{l — ^i^ — r) where H^^ is the inverse function of the 
restricted bijective function Hi : [0, i] — > [0, 1]. Assume that 2±^ < 1 — _ffi(|) — t. This implies that 
X < R. Let B be the sphere in {0, 1}'^ centred at the zero string and of radius R. For i G {1, . . .6}, 
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let's denote by qi the probability that there exists z G {0, 1}"+* ^ such that B(i) + X]f=i ^j^U) ^^ ^^ 
B (equivalently, qi is the probability that the cosct Bu\ + Span ({C(j)}j<a+i-i) intersects B). Then 

Fi{dAB <x) < Pr{dAB < R) (64) 

fc-i 
= qi + q2{l - qi) + ■ ■ ■ + qbY[{l - qi) (65) 

6 

< E*' (66) 

1=1 

since the probability that d-AB < i? is the probability that, if one picks successively at random the rows 
B(i), -B(2)j • ■ • , -S(fc); s-t some step i E {1, . . . ,b} the set i?(j) + Span ({C'(j)}j<a+,;_i) intersects B. 
Now, 

(B(,) + Span ({C(j)}j<a+.-i)) n S 7^ ^ B(,) G {f + Span ({C(^)b<a+.-i) : x e 6} , (67) 

where the size of the last set is upper bound by \B\ x |Span ({C(j)}j<Q+i_i) |. Since B/j) is chosen 
randomly out of 2*^ strings, 

. |g| X |Span({C(j)}j-<^+,,i)| 
* ^ ^fe (68) 

< 2"+'-i-'=|6|, (69) 

and using the binomial tail inequality (Property HS) : 

y— ^ 

we find 

thus 

6 6-1 



1^1 = E f!) ^ 2'=^^(«/'=) for f < i, (70) 

g=0 



Pr(dAB < i?) < E * = 2"''"^'' E 2' ^ 2-^^ (72) 

1=1 1=0 

Therefore, the expected probability that dAB < R is smaller than 2^'^*^. Thus, 

^<l-i^i(^)-r => PTidAB<x)<2-^^ (73) 

which concludes the proof of the lemma. D 

This bound allows us to prove the following crucial property: 

Property 4 Let d^ be the random variable giving the minimum weight d^ defined above. Then, given 
that n = n for some positive integer n and I > Imin, 

Pr (^ < ('5 + Tf)^ip-n I T> T„^^n, u = n, valid = Tru(>j < 2"^^'^"^- (74) 
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Proof Given that n = n and I = I > Imm, note that the random variable K is uniformly distributed 
and independent of other variables. Passing the validation test in the protocol requires that the constraint 



I 



m-\- r 



<1- Hi 



("in An. 



(75) 



is satisfied. Since the validation test is passed, especially Eqn. (||), the argument of Hi{x) satisfies 



X < 1/2. Moreover, we have H^ < Si+i and 1 - Hi(^(^±l£|=3z!i) _ ^-^ > i _ ^^ ( 2(^+^)1^^ ^ _ ^^ 



Therefore, the number of rows of F and K verify: 



m + r 
T 



<\-Hi 



2{5 + TfY-§^n 



(76) 



We can therefore apply the above lemma ioi A = F^ B — K, k = I and x = 2{6 + Tf)^-^^n. We 
obtain that: 



or. 



Vr(d^<2{5 + Tf)^-^n 



Pr(_ < {5 + Tf) — ^ — n 



T„l 



I ^ I > lymn, n = n, valid = Truej <2 '"" 



I > Imm, n ^ n, valid = True) < 2 '^p'™" 



which concludes the proof of the property. 



(77) 

(78) 
D 



5.4 Reduction to a modified situation 

In this section, a modified situation of the original protocol is defined. This modified situation does not 
correspond to a key distribution, but nevertheless, a "key" is defined at Alice's side. Surprisingly, the 
"privacy" in the modified situation implies the privacy of the original protocol, and this implication is 
proved. 

5.4.1 Equivalence with the modified protocol 

We first describe the modified protocol which is similar to the original protocol, except that Bob measures 
the photons in the sifted set E in the wrong bases (therefore Bob does not share the private key with 
Alice). We show that the security of the modified protocol is equivalent to the security of the original 
protocol. 

In the subsequent discussion, we will consider - without loss of generality as far as the security of 
the protocol is concerned - that Bob's choice of measurement bases b and the set R are provided by a 
randomising box at Bob's side: the box generates randomly a choice for R and for b at the beginning of 
the protocol. It then provides Bob with the generated data as required by the protocol, that is, it gives 
b during step || and R at the step |4| to Bob. We now define the intermediate protocol as follows. In the 
intermediate protocol, 

• Alice behaves exactly as in the original protocol. 



Bob's randomising box generates R and b as before, but gives b instead of b to Bob at step |[ where 

bi Hi e R 

^bi if i ^ R. 



bi ^ 



(79) 



The box announces R to Bob at step as in the original protocol. 
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• Bob behaves exactly as in the original situation, except that, in step o, after he learned the choice 
for R, he computes and announces b rather than b. 

Therefore, in the modified protocol, Bob measures Alice's signals in the bases b and announces 
b. The underlying idea is that the original and the modified protocols are identical, except that Bob 
measures the signals indexed in R in the wrong bases (without actually knowing R). Consequently, 
Alice's sifted key and Bob's sifted key are uncorrclatcd: Bob docs not share the key with Alice. The 
private key is only defined in Alice's hand. Therefore, this situation does not describe a key exchange. 
It is only an abstract stepping stone towards the proof of unconditional privacy, thanks to the following 
property: 

Property 5 Whichever strategy a potential eavesdropper Eve chooses, the random variable giving jointly 
Alice's private key and Eve's view has the same probability distribution in both protocol. 

Proof In the following, we say that a random variable in the original protocol and the corresponding 
random variable in the modified protocol are indistinguishable if and only if their probability distribu- 
tions are identical. A quantum system whose state is not a priori known is characterised by an ensemble 
description. Given a system having probability pi to be in the state pi for i = 1, 2, . . . , fc, its ensemble 
description is the list {{pi,Pi)}i, that is, the list of its possible states together with the corresponding 
probabilities. We say that a quantum system in the original protocol and the corresponding quantum 
system in the modified protocol are indistinguishable if and only if their ensemble descriptions are iden- 
tical. Throughout the proof of this property, we consider an arbitrary but fixed strategy adopted by 
Eve. By strategy, we mean the algorithm or the "program" followed by Eve to eavesdrop. Therefore, if 
Eve is given the same input, she will act identically. We have to prove that the data Eve accesses and 
the private key Alice gets in the original protocol and in the modified protocol are indistinguishable if 
Eve follows this given strategy. Recall that in the original protocol. Eve learns the values of T>, R, 6, 
hCD n i?), V{T,d), a, F, s and K via the pubhc discussions. Eve may also attempt to eavesdrop the 
quantum channel. If a pulse contains several photons. Eve might keep one photon and store it until bases 
are announced, thus obtaining deterministically the corresponding bit. Eve may also entangle a quantum 
probe P to Alice's single photon signals, and measure P after public discussions. She might also stop 
some single photon signals, leaving pulses in vacuum state to Bob. Let {A, B,C, . . . ,D) be a set of 
random variables (and/or quantum systems) in the original protocol. Let (A', B',C', . . . , D') be the set 
of corresponding random variables (and/or quantum systems) in the modified protocol. Note that one 
can show that the set {A, B,C, . . . , D) is indistinguishable from the set {A', B', C, . . . , D') by showing 
successively that: A and A' are indistinguishable. Given A and A' take the same value (denoted as 
A = A'), B and B' are indistinguishable. Given A — A' and B = B', C and C" are indistinguishable, 
etc. Now: 

• The choice for a, g, b and R are indistinguishable in both protocol. Given that the choice for a, 
g, b and R takes the same values in both protocol, Alice announces the same a in step @ and Bob 
announces the same b and R in step ^. 



• 



Given that Alice's choice for a and g take the same value in both protocol, Alice's quantum signals 
are indistinguishable in both protocol. 



• Given that Alice's quantum signals are in the same state in both protocols. Eve acts on them in the 
same manner: the interaction of the quantum signals with Eve's apparatus and the probe P remains 
the same. Thus the resulting quantum signals (disturbed and/or suppressed by Eve) received by 
Bob are indistinguishable in both protocol. Likewise, the resulting states of Eve's apparatus and 
probe P are indistinguishable in both protocol. Naturally, after the above coupling, the density 
matrix describing P does not depend on Bob's choice of bases or outcomes of the measurements. 
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• We assumed that given a quantum signal, the probabihty that Bob detects at least one photon in 
this signal is independent of his choice of basis. Therefore, given that Alice's quantum signals are 
identical in both protocol, the set of detected signals in the modified protocol is indistinguishable 
from the set V of detected signals in the original protocol. Given that the choice for h and R is the 
same in both protocol, since bi — bi for i G R, the measurement outcome hi in the modified protocol 
is indistinguishable from the hi in the original protocol, for i G R. Therefore Bob's announcement of 
h{RnTy) in the modified protocol is indistinguishable from its counterpart in the original protocol. 

• As a result, the sets 51, T and E computed by Alice in the modified protocol are indistinguishable 
from the corresponding sets computed in the original protocol. 

• The above implies that the outcome of the test V{T,d) is indistinguishable in both protocol. 

• In both protocol, Alice's choices for K and F are indistinguishable. Given g, E and F take the 
same value in both protocol, Alice announces the same syndrome s. 

• The private data Eve wishes to discover is the private key /? — Kg{E) (mod 2) in both situation. 

Therefore, the public announcements. Eve's apparatus and probe, and Alice's private key are indis- 
tinguishable in both protocol. Thus the random variables giving the results Eve gets from measuring her 
apparatus and probe are indistinguishable in both situation. This concludes the proof. □ 

5.4.2 Further reduction 

The previous section has shown that it is sufficient to prove privacy of the modified protocol to prove that 
the original protocol is secure. It turns out that it is simpler to prove security for the modified protocol 
since Bob has no information about the private key. The privacy of the modified protocol can be proved 
even in the following situation where: 

• Alice announces generously g{E) after she announces a in step 0, and 

• Bob announces generously h{T>) in step H (i.e. before announcement of the revealed set R), instead 
of announcing h{T> C\ R) in step |6[ 

Of course, this can only weaken the security of the modified protocol, and the security of the resulting 
protocol implies the security of the original protocol. 

Provided the randomising box is not corrupted and the random choice of R and 6 are announced 
honestly in step ra by the box, the security of the modified protocol can be proved even if we furthermore 

assume that Bob is corrupted by Eve. That is. Bob tells Eve the output b of the randomising box in step 
and Eve and Bob together make the measurement they want on the quantum signals sent by Alice. 
Bob then announces T) and h{T>) as told by Eve in step ||. Thus we can regard the couple Eve-Bob as a 
single enemy, provided that the randomising box is not corrupted and that the public announcement of 
R and b in step ra is made directly by the box. 

Of course, h{T) should be close enough to g{T) so that the couple Eve-Bob passes the test. The 
eavesdropping fails if Alice declares ^7^(r, d). After the public discussion. Eve may execute another 
measurement on the residual state of the photons to refine her information. 

5.4.3 Reduction related to multiple photon signals 

We now present a reduction related to the multiple photon signals. By assuming that the enemy has 
full knowledge about the multiple photon signals prior to any public announcement, this reduction will 
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allow us to work with a simpler situation in which the enemy is performing a conditional measurement 
on single photon signals only. 

Since Eve has no technological limitation, we must assume that Eve-Bob have perfect detectors. 
We also consider the worst case scenario in which Eve replaces the quantum channel by a perfect one. 
Therefore, Eve-Bob are cheating when the set T) containing all signals in which Bob officially detected at 
least one photon is not equal to SVJM. Eve-Bob choose the set V at their convenience, while ensuring 
that the observed transmission rate n/N is not significantly lower than the expected transmission rate. 
Now, if Alice emits a signal of index i with several photons, Eve-Bob may pick up one photon from the 
signal and measure it in basis &i, giving the outcome hi. Then they measure the remaining photons in 
the pulse in the other basis -^bi, yielding a result h[. The bit hi allows Eve-Bob to pass the test for the 
index i, if i € T. After announcement of Alice's basis a^, Eve-Bob knows whether a^ = bi or a^ = -^hi. In 
either case, Eve-Bob learn deterministically gi (since gi = hi if Oi = bi and gi = h[ if a^ = ^6i). That is, 
for any signal i emitted with several photons, Eve-Bob can learn deterministically gi while passing the 
test for the index i with certainty, if i G T. In order to take into account this extra knowledge gained 
by Eve-Bob from the multi-photon signals, we consider a slightly worse scenario. We henceforth assume 
that: 

• In addition to sending the photon pulses exactly as described previously, Alice's source tells secretly 
Eve-Bob the partition E — (V, 5, M), the number of photons rii in each pulse i m. M (collectively 
denoted by n{M)), Ahce's bases a{M) and Alice's bits g{M). These secret announcements are 
made at the same time as the source emits the quantum signals and we denote them collectively 
byA^ = (I],r?(A/),a(Af),.g(Af)). 

Again, this assumption can only weaken the security of the protocol. Now given Ai, Eve-Bob can 
re-create the signals sent by Alice on M. That is, provided Eve-Bob learn Ai, we can assume that 
Eve-Bob receive only photon pulses that are in S, without modifying the security of the protocol. 

To summarise, the security of the original key distribution protocol is implied by the security of the 
modified protocol in which Bob is corrupted by Eve and in which: 

• Ai — (Tj, n{M) , a{AI) , g{M)) are given secretly to Eve-Bob during step g. 

• Eve-Bob receive only photon pulses that are in S. 

• Eve-Bob must announce publicly h{'D) in step ^. 

• Bob's randomising box is not corrupted and announces publicly R and b honestly in step |5|. 

5.5 Mathematical model of eavesdropping in the modified situation 

We define the view of Eve-Bob as the set of all data Eve-Bob acquired during the modified protocol. 
The random variable describing this view is denoted by v, and takes value in the set of all possible view 
values, Z. Following our model, the view v has the following form: 

v = {M,V,h{T>),R,P,j) (80) 

where 

• Ad = (S, n{AI) , a{M) , g(M)) is the random variable giving collectively the secret announcements 
of Alice's source (S ^ (V, S, M)), 

• P — {a,g{E), F,K,s) is the random variable giving collectively Alice's public announcements, 
and 
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• j is the random variable giving collectively the rest of classical data Eve-Bob obtain by performing 
measurements on the quantum signals. The structure of j depends, of course, on Eve-Bob's attack. 

Note that from the beginning Eve-Bob learn b from the random number generating box. Since the 

privacy results in the modified situation will not depend on b, we will consider & as a parameter of the 
protocol, known by everybody. This is why the corresponding random variable is omitted from v. 

We now present the formalism to describe the whole situation just after Eve-Bob learn A4 from the 
source, that is before they determine V. Just after Eve-Bob get an outcome A4 = A4, the situation is 
modeled as follows: 

The system as seen by Eve-Bob is described in a Hilbert space TCsys = 'He ® 'Hs where Tic is the 
Hilbert space describing the classical data a, 5, R, F, K processed by Alice or the randomising box and 
Hs is the Hilbert space describing single photon signals in S. 

We will denote by c = (a, g, R, F, K) the random variable giving collectively a, 5, R, F, K. Each 
possible value c = (a, g, R, F, K) for c is represented by a state (i.e. a normalised vector) | c) e Tic such 
that the set {| c)}c forms an orthonormal basis oiHc- The Hilbert space Hs is Hs = (^iesHphoton- The 
single photon polarisation Hilbert space Hphoton has been defined previously. 

For any quantum system described in a Hilbert space 7i, the state of the system is fully defined 
by a Hermitian non negative matrix p of unit trace called the density operator. When the system has 
probability pi to be in the state ^i) for i — 1,2,... ,k (we say the system is in a statistical mixture 

of states), then the corresponding density operator is p = J2i=iPi\ ^i)(^j |- The result of a general 
measurement on a system described in H can be seen as an outcome of a random variable q where q 
is the measured physical quantity. A general measurement q on a system described in a Hilbert space 
H is described by a positive operator valued measure (POVM henceforth) {{q,Fq)}q^Q where Q is the 
set of all possible outcomes for q. It is a set of Hermitian non negative operators Fg on H such that 
^ gQ Fq — 1-H- Then the probability that the measurement yields a particular value q is given by 

Pq(q) = Tr{Fqp) (81) 

where p is the density operator of the system. For any q £ Q, the Hermitian nonnegative operator Fq 
is called the positive operator associated with the outcome q. A more detailed description of the general 
measurement formalism can be found in |23| . 

This formalism can be applied to our system Hsys — He ® Hs- However, we need to describe c as 
classically encoded variable. This is done by adding the following restrictions to the above formalism: 

• Any state in Hc®Hs should be described as a mixture of states in the canonical or the computational 
basis of Hc^ i-e. its density matrix must be of the form: 



Psys 



^P,(c)|c)(c|(5§|$c)($c| (82) 



• 



where computational basis means that no other basis than the canonical one {\a,g,R,F,K\}c 

should be used (i.e. we shall not use basis containing cat-state vectors such as ^ — ^-J — -). The 
probability Pc(c) is the probability of occurrence of c. 

Any positive operator describing a general measurement on He ® Hs should be of the form: 

H*^ ® E'^ (83) 

where H*^ (acting on He) is some projection operator on the computational basis of He (i-C on 
the subspace spanned by some set of vectors of the canonical basis). In other words, 

n^ = Y^\c){c\ (84) 
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for some set A of values c may take. The set A corresponds to the set of values c that are compatible 
with the outcome associated with the positive operator. 

The operator E'-^ (acting on Hs) is some positive operator in Hs- This model allows global 
measurement in which two-way classical communication between Alice and Eve-Bob occurs. This 
is necessary since variables such as E, and 7'(r, d) depend on Bob's announcements. 

In our model, Eve-Bob execute two measurements on the system. The first one, allowing to find I?, 
h{Ty) given M but before public announcement occurs, the second one, allowing Eve-Bob to refine their 
information once P is known. 

However, technically, it is more convenient to think that Eve-Bob execute one single POVM mea- 
surement on the whole product space He <8) Ti-s- This POVM should obey certain constraints reflecting 
the fact that V and hiT)) should be measured before the public announcements by Alice and the box. 

Let's now describe more precisely the density matrix of the system and the POVM associated with 
various possible measurements during the protocol. 

Once Eve-Bob have learned the value taken by A^, the density matrix of the system as seen by 
Eve-Bob reads, prior to any further measurement, 

P\M=M^ E Pc\M=M{c)\c){c\(g>\'i{g{S),a{S))){^{g{S),a{S))\ (85) 

ceCM 

where 

Cm ""= ' W = (a', r, R', F\ K') : a'{M) = a{M), g'{M) = g{M)} , (86) 

\^{g{S),a{S))) ''=^ 0,e5|*(5^,a^))- (87) 

(in the definition of CVi, d{M) and g{M) are given by M). The subscript "|A4 = Al" stands for "given 
A4 = Al". The probability distribution of Pc|a4=ai is normalised for each possible value for the size of 
E, that is, for each possible value for the number of columns in the matrices F and K (recall that the 
size of the parity check matrix and the privacy amplification matrix is given by the set E) . This is to 
ensure that the sum of probabilities of all outcomes c = (a, 5, R, F, K) that are compatible with \E\ — n 
is equal to unity, for any possible value n. In other words, ^^^ g^j^j kYvscvg n columns ^c| m.=m{c) ~ 1- 

Eve-Bob learn the outcome of A4 which is part of the view v. The remaining part of the view is 
provided by a single generalised measurement defined by the POVM 

{(«,i?.|^=A^)}„,^^ (88) 

where Zm is the set of views giving A4 for the announcement regarding the multiple photon signals. We 
have seen that for any v e Zm, E^\j^^m reads 

Ev\M.=M = ^v\M=M ® Fv\M.=M (8^) 

where n^^^^^ is the projection onto the span of states c) G Tic for all c compatible with the view v. 
Now a, R, F and K are given explicitly by v (of course, the number of columns in F and K is \E\ 
where E is given by v). The view v tells as well that g{M) = g{M) (secret announcement of Alice's 
source), g{E) = g{E) (announcement oi g{E)) and Fg{E) = Fg(E) ~ s (announcement of s, and note 
that F and E are given by v). Therefore, the set of all values for c compatible with v is 



I {a, y, R,F,K) : ye C- -(^^jm) } ^^ere 



(^s.giEuM) = {xe{0,l}'^ : x{E U M)^g{E U M) mid Fx{E)^s (mod 2)} (90) 
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that is, 

^v\M=M= E \a,x,R,F,K){d,x,R,F,K\. (91) 



Suppose now that at the end of the protocol, and after Eve-Bob get the view w, Alice announces 
the key k. Then the POVM associated to this situation reads 

where ^Ji a^^ivi remains the same, since the additional data come from Alice's announcement only, after 
the attack. The set of all values for c compatible with {v, k) in this situation is 

I (a, y, R,F,K) : ye C^^^^^f^uM) } where 
C,,,j(EuM) - {'^ e {0, 1}" : x(E U M) = g(E U M) 

andFx(^)=s (mod 2) a.nd Kx{E) = k (mod 2)| (93) 

Therefore, 

^fvMM=M= E \ci,x,R,F,K){a,x,R,F,K\. (94) 



sec,„^„^, 



g{EUM) 



The reasons for this assumption follows: suppose a positive operator £^ i a^_a4 ^^^ ^ rank greater than 



Of course, Alice will not announce publicly k during the protocol. The above POVM has just been 
derived so that we can compute P-vk{v, k), the probability that Eve-Bob get the view v and that the key 
takes the value k. 

Finally, we can assume that for any v, the positive operators E^\_\^=m are of the rank one, i.e. 

where (j>v) are some vectors in Tis- The vectors (py^^ are in general neither normalised nor orthogonal. 
The reasons f 
one, namely: 

Evo\M=M=^\Vi){m\ (96) 

iei 

where the vectors ?7i) G Tis are possibly not normalised (such decomposition is always possible since 
Evo\Ai.=M is Hermitian positive). / is a set of size greater than 1. Then the modified POVM 

{iv,Ey\j^^M)}v^vo U{((wo,i),n^„|A4=Ai'^ \Vr){Vr\)}tei (97) 

gives more precise information than the original POVM. This justifies our assumption. 

Finally, we examine the constraint on the POVM {(u, St,|Ai=Ai)}fG2Ai related to the fact that 
given Ai, Eve-Bob must determine V and h{VC\M) (g{M) is already known and Eve-Bob do not commit 
error on M) prior to Alice's public announcements. We have seen that Eve-Bob may choose the set V 
at their convenience. Since signals in M give perfect information about Alice's bits and signals in V give 
no information at all, we assume that Eve-Bob follow the optimal strategy by choosing V such that: 

M(ZV and X>nF = (98) 
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Now, since Al, T) and h{'D n M) are parts of the view v, we can define the POVM 

-^X',K(X'nM)|A4=A1 ^ Z^ -£'d|A4=A1 (99) 

i; gives •D,K('DnM) 

which is the positive operator associated with the outcome (X>, /i(X> n M)) = (2?, h{V n M )) given that 
A/i — Ai. When Eve-Bob make a measurement to determine V and h{'D O M), the only data they have 
about c are d{M) and g{M). Therefore, 

where E2. - — , , is some positive operator acting: on Tie and 

n^= E l'^)(H- (101) 

To recapitulate, for any positive real number e > 0, the test 7'(A, e) on a subset A of I? is modeled 
as follows: 

• Eve-Bob get an outcome A4 = Ai for the multiple photon signals, thanks to Alice's source. 

• Given A4 = M Eve-Bob determine the value taken by X> and h{T> n M) thanks to the POVM 

{ ((M, p, hiv n M)), i^,,,(,,^,^.^ = n- ^ i^S,,(,,^„^^^) }^ ^ ^^^^^^^^^^ (102) 

• Eve-Bob do not commit any error on Af] M . 

5.6 Bound on the conditional entropy of the key in the modified situation 

In this section, we derive the bound on the conditional entropy of the key in the modified situation. 
Throughout this section, we consider a given eavesdropping strategy chosen by Eve-Bob that fits the 
model wc gave previously. 

The structure of the proof follows. We define the subset V of views in which Eve-Bob succeed to pass 
the validation test (recall that in our protocol, the outcome of the validation test is publicly announced). 
We define two subsets C and TZ oiV . The subset C is the set of views for which the associated positive 
operators obey a certain constraint. This constraint is related to the fact that it is very unlikely that 
Eve-Bob pass the validation test while they have a substantial knowledge about Alice's sifted key: indeed, 
if a quantum signal is in the revealed set R, Eve-Bob want to learn the outcome of the measurement in the 
basis indicated by the randomising box. If it is not in i?, then Eve-Bob want to learn the measurement's 
outcome in the conjugate basis (since bi = -^bi if z ^ R). The trouble for Eve-Bob is that they do not 
know R before they have to announce their bits /i(I?) and this can be translated in the form of the above 
constraint. The second subset TZ corresponds to the set of views in which probabilistic properties we have 
seen previously actually hold. We prove useful identities on TZ that are necessary in the subsequent part 
of the proof. We then prove that: 1) when the view is in the intersection of TZ and C, Alice's private 
key is almost uniformly distributed and independent of Eve-Bob's view, and 2) this intersection covers 
almost completely the set V of views passing the test. Then conclusive calculations lead to the privacy 
of the protocol. 

The following lemma will be useful in this section. 

25 



Lemma 2 Let the density matrix of the system be of the form,: 

Psys=J2Pcic)\c){c\<»\^c){^c\ (103) 

c 

where {I ^c)}c is an orthonormal set of vectors in Hs, and let a positive operator acting on Tisys be of 
the form: 



\ceA / 



F'^ (104) 



where A is some set of values for c. Then for any operators V and W acting on TLs, 

Tr {FVpsysW) = Pc(A)Tr {f'^V p^ys^W) (105) 

provided Pc(^) > 0, where 

Vc{A) = ^ Pe(c') and (106) 



c'eA 

PsysA = pI7tEP-W|'^-)('^-|- (107) 

Proof We have: 

Tx{FVp,y,W) = E EPc(c')|(c|c')|2Tr(F«y| $,.)($,. I VK) (108) 

^ ,0 if X 7^ X' 

where dx,x' ^ \ ^ \i X = X' 



= EPc(c)Tr(^'?y|$c)($c|VK) (109) 

ceA 

= TT{F'^Vj2Poic)\^c){^c\W). (110) 

Now if Pe(A) = X:,-eA Pc(c') > 0, then 

Tr(i^T/p,,,W-) = P,(A)Tr(FQt/ -i^ ^ P,(c)| $,)($, | VK). (Ill) 

^ ^ ^ 

The factor Pc{A) has been only introduced so that Psys,A is normalised: 

Tr(p,,,,^) = -4^ ^ P,(c) Tr(| $,)($, |) = 1. (112) 

^'='-^'' ceA ' ' ' 

= lVc 

This concludes the proof. □ 
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5.6.1 Small sphere property 

In this section we define £, the set of views passing the test and for which the associated positive operators 
obey a certain constraint. We then prove that £ covers almost completely V . 

Definition 2 The set V is defined as the set of all views of Eve in which the validation test is passed. 

-p := {v e Z : valid = true} . (113) 

Definition 3 For any view 

v=iM,V,hiV),R,P,j)eZ (114) 

where M ~ (S, n{M), d{M), g{M)) and P — (a, g{E), F, K, s), define the partial view z as 

z = {M,V,hi'OnM),d,R) part ofv. (115) 

The partial view describes the data Eve-Bob have after receiving A4 and after measurement of V and 
hiVC] M), followed by announcements of (a, R) by Alice and the randomising box. Recall that Eve-Bob 
do not make any mistake on M thanks to Alice's source, and that they need only to get h{T> n M) using 



the POVM (|102| ). Given any partial view z = {M,'D,h{'Dr] M),d,R), define Ilo{z) as the orthogonal 

projection operator onto Span({ ^(j, b)) \d^^jj{j, h) > ^2}) where d2 = {6 + Tf) ~2^" »- and where E, M 

and hCD n M) are given by the partial view z. We have restricted to -E n M and TfMvI because Eve-Bob 
do not commit any error on M . We prove now the following property (referred to as the small sphere 
property in |g]). 

Property 6 Let the subset of views C d V be defined by: 
^ Def f 

PMiM)TT[E^l^^j^Uo{z)pi^^Mno{z)] < ^g{S,Tf,pR,n)P^{v)j, (116) 



where 



g{S,Tf,PR,n) = exp 



^^r'ArrmnN + 2^^^ 



(117) 



26 + Tf ■' 4 \25 + Tf^ 

Then the probability weight of C is lower bounded by: 

P.{C) > P.{V) ~ ^g{6,Tf,pR,n). (118) 

Proof Define Zr^-^ C Z as the subset of views for which the size of T> satisfies the first condition 
of the validation test, i.e. n > rmin^ or Z^^^^ = {v £ Z : \T>\ > r„iinN where T> is given by v.}. 
Likewise, define Wr,„i„ a-s the subset of partial views z for which the size of T> satisfies the condition 
"- > f,ni„N, that is Wr,„i„ = {z : \T>\ > r„jj„iV}. We can assume that P„{Zr^.^) and Pz(Wr„i„) 
are strictly positive. Otherwise, since V is in Zr^.^, this would imply P^{V) = which implies trivial 
security of the protocol. Define the positive operator ni(z) as the orthogonal projection operator onto 

Span({ \['(j, b)) \dj,^jj{j, h) > di}) where di = 6^n, and where T, M and h{V n M) are given by z as 

before. We also define 111(2;) as 111(2:) — 1 — 111(2;). 
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We first prove that the set of views Q defined by: 

De/ r 

Q = iv e Zr^.^ : 



PA4(M)Tr[S„|^^^^ni(z)no(z)p|^^^no(z)ni(z)] < ^g{S,Tf,pR,n)P„iv)y (119) 

has probability bounded from below by: 



P.(Q) > (1 - /g((S,T/,Pfl,n))P„(Z,_J (120) 

Let's assume that we are given that "D — V for some set V. The starting point is the following: 
as mentioned already, Eve-Bob do not know Alice's bases a nor the choice of R during the quantum 
transmission. This means that in a fictional situation T in which the single photons sent by Alice 

are in the state ^{g{S),b{S))) instead of | ^(g(S'), a(5))) (the classically stored a remains however 
unchanged), Property H holds for the subsets T and E oiV. Let C be the random variable giving the set 
of discrepancies between Alice's bits 5(1?) and Bob's bits h{'D) on V. Then in such a situation, the error 
set C is independent of ft and R. This implies that T and E are independent of C. Using Property |] 
ioT S ^ V, A ^ T, B ^ E and C with p^^pr^ Pr/2, pb ^ Pe ^ (1 - Pfl)/2 (the factor 1/2 is the 
probability that a^ = bi (for T) and a^ 7^ hi (for E) respectively), we have 

Pr (P(T, di) A -^V{E, da) |^, T>^V) 

< mr„f,i^,.). (121) 

Multiplying the above relation by Px>(2?) and summing for all V that satisfy |I?| > r,ninN, one gets: 
Pr {{n > rrmnN) AV{T,di) A ^V{E,d2)\T) < g{d,Tf,pR,n)F,{Zr^J (122) 

remarking that f{5,Tf, ^, i^^,r™„A^) = g{S,Tf,pii,n) and that P^(Zr„„,J = Z^P: |D|>r„„„JV P^(^)- 
But the Ihs. above reads: 

Pr ((n > r„„„7V) A ^(r, di) A ^V{E, ^2)!^) 

= ^ ^ Pc(c)PA4|c=c(X')P.|^,c=c,Al=M'(^')Pr(P(T,di)A-P(£;,d2)|.F,c = c,2^1^3) 

where Ai' is given uniquely by the partial view z' — {M'.V .h'{T>' n M'). Note that c and A4 are 
independent of the event T . 

It is easy to see from ( |102[ ) that, given M. = M., the POVM associated with the partial view 
z e Wm (where YVm is the set of partial views that are compatible with A4 = AA) is: 

[z=[M.VMVC^M)ra,RlE^,^^^=n<i,^,^^^El.^^-^^^^^}^^^^ (124) 

where 

n^,s,i?= E |a,5',i?,F',if')(«'5',i?,i^',^'| (125) 

F',K',g':g'(M)=g(M) 

is the projection onto states giving a, (f(M) and R for Alice's choice of bases, Alice's bits on M and the 
randomising box's choice for the revealed set, respectively. 
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Using this POVM, wc have: 

P.|^,c=c,At=Ai'(^') = TT[E,'iA^=M'\c}{c\^\^{g{S'),~b{S'))){^{g{S')MS'))\] (126) 

® |*(5(^'),^(^')))(*(5(^'),^(^'))|] (127) 

= SsM'SRM'^g{M'),g'{M') X 

where S", M' and g'{M') are given by Al', a', i?', P' and h'{T>' n M') are given by z' and a, i? and g are 
given by c. We recall that Al' is part of z' . 

Since Eve-Bob do not commit any error on M, 

Pr(P(T, di) A -^ViE, rfa)!^, c = c,z = z') 

= FT{V{Tr\M,di)A^V{Er\M,d2)\T,c^c,z^z') (129) 

= P'^idr'n'wid, h') < rfi and dj^,^j^{g, h') > rfa) (130) 

= Tr(ni(z')no(z')|*(5(^'),^(^')))(*(5(^'),^(^'))|no(^')ni(z')) • (131) 

where the sets T', E' and M' are uniquely given by the partial view z'. 
Note that 

ni(z')no(/)| ^{g{s'),~b{s%{^{g{s'),~b{s')) |no(z')ni(/) 

^{b{S'),giS'))){^ib{S'),giS')) \ ii d^,^-^{gS'l< d, 

anAd^,^jjr{g,h')>d2 (132) 

otherwise. 

Therefore, the above term can be integrated in the other trace so that: 

Pr ((n > r„,„Ar) A V{T, d^) A -^V{E, d^W) 

= X] X! ^cM.{c,M')5a.a'5R,R'5^(M'),g'(M') X 

X Tr[£;^, ,>m'niu^.^=M'ni(^')no(^')| ^{g{s')~b{s'))){^{g{s')~b{s')) |no(z')ni(z')] (i33) 



but 



X''Ji'(X''nM')|A4=A1 



PcA<(c,M') = P^(M')Pc|^=Ai'(c) (134) 

= FM{M')Vs(s'MS'))^ag(^)RFK\M=M'{'i^9(S').R,F,K) (135) 



2is'l 
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since g{S') is uniformly distributed and independent of M, a, g{S'), R, F and K. Recall that S is not 
chosen by Eve-Bob, but randomly by the source. Therefore, 

Pr ((n > r„,„,N) A P(T, rfi) A -^V[E, rfs)!^) 

^'S^'-min a,g(S^),R,F,K 

>< Tr[i?J ;;,(p,nlvF)|^_^ ni(.')no(z') E 4tI *(5(5'), ^l5')))(*(.9(^')r^(5')) |no(z')ni(za}i7) 

9{S') 

The important point to remark is that 



2|S'|| -vyv- y,"v- ///\-vyv- y,-v- y;| 2lS'| ^1^2l^'l 
s(S') s(S') 



(138) 



Therefore, setting back the sum over g{S') and writing back the trace over classical spaces in the 
original form, we obtain: 

Pr ((n > r„„iV) A P(T, di) A -P(£;, ds)!^) 

^ Tr[£;J, -,(^,^^^1^^^ ni(z')no(z')| *(.g(5'),«(^')))(*(5(5'),«(^')) |no(z')ni(z')] (i39) 

= E E PcA<(c,X') Tr [S,,|^=^, I c)(c I® Hi (z')no(z') 

I *(a(y),g(5')))(*(«(5'),5(^')) |no(z')ni(z')] (140) 

J2 PA<(Ai')Tr[£;,'|A4=M'ni(z')no(2')piA4=M'no(^')ni(z')], or, (i4i) 

J2 PA4(X)Tr[^,|^^^^ni(z)no(z)p|^^^no(z)ni(z)], (142) 

zeWr„i„ 

where A^ is given by z. 

But £'^|Ai=A^ = E« gives z -E'i-|A4=M and we get 

Pr ((n > r„,,„iV) A r{T, di) A -P(£;, da)!^) 

= E PA4(X)Tr[S,|^=^ni(z)no(z)p|^^^no(z)ni(z)] (143) 



where M and z are given by v, and recalling the Inequality (122), we get 



Y, PAd(Al)Tr[£;„|^=^^^l(z)^o(z)p|A4=A1^o(z)^l(z)] <g(^,T/,pfl,n)P„(Z,,„„). (144) 



At this point we use the following lemma: 
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Lemma 3 Let fi be a strictly positive real number. Let y be a random variable taking values in a set y . 
Let {ay\y£y be a set of \y\ real nonnegative numbers such that X^yev ^y — M- ^^^ q be a strictly positive 
number. Lf we define the subset X <Z y by 

X^iv^y ■.ay< M-7Py(y)} (145) 

ThenVy{X) > 1 - i. 

Proof Assume to the contrary that the set S = y\X ^ \y <^y : ay > fiqPy{y)} has probabihty 
Py{S) greater than -. Then 

^ay>^ay> nq^Py{y)= ^j,qPy{S)>iJ. (146) 

y yes yes 

Therefore ^ Oy > ^ which is a contradiction. This concludes the proof. □ 

Define the set of views Q as: 

Q = <v e Zr,^-,^ : 

PA4(Al)Tr[^„l^^^ni(z)no(z)p|^^^no(2)ni(z)] < ^g{6,Tf,pR,n)P^{v)y (147) 



Then applying the above lemma for /i = g{6,Tf,pfi,n)Pj,{Zr^-,J, q = 1/ yyg{S,Tf,pii,n) and the proba- 
bility distribution on Z^^-^ given by the conditional distribution P^(u)/P^(2^r„i„)) we find that 



P.(Q) > (1 - ^g{S,Tf,pR,n))P^{Zr„,,J. (148) 

Thus, for any view w G QnV, we have: 



PA4(A^)Tr[£;,|^=^ni(z)no(z)p|^=Mno(z)ni(z)] < .^g{S,Tf,pR,n)P,{v). (149) 

However, since v € V we also have: 

p^(Ai)Tr(£;„|^=^ni(z)no(z)p|A4=Aino(z)ni(z)) (i50) 

- PA<aRFK{M,d, R, F, K)Pg{C,.g^^,j^)TT[E^^^^jJii{z)no{z) 

-—^ 1 J2 \^ix,a)){^ix,a)\Uo{z)ni{z)] (151) 

using Lemma y, and since for any x E Cg ^/■eum) (^^ote that Oi = bi for i E T), 

ni(z)|*(f,a))(*(f,a) |ni(z) = |*(f,a))(*(f,a)| (152) 

(that is, z = {A4,'D,h{'D n M),a,R) verifies drpf^jj{h, x) < di for any x G C*- -f;^^^^-,). Note that no(z) 
and ni(z) commute. Thus we have: 

WveQnr 

PMM)TT{E,lM=M^i{z)Iio{z)p\M=MMz)^i{z)) 

= PMM)TTiE,iM=M^oiz)piM=MT^oiz)) (153) 

< P^iv)^ giS,Tf,pR,n) (154) 
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since no(z) acts only on Ti-EriM- "^"^^^ proves that Q n P C £. Therefore the probabihty of C is bounded 
from below by: 

P«(/:) > P.(Qn7') (155) 

> P,(7')-P.(QnZ,_) (156) 



> V.{V)-^g{5,Tf,pR,n), (157) 

which concludes the proof of the small sphere property. □ 

5.6.2 Identities on TZ 

Here we define another big subset of V , corresponding to the set of views in which probabilistic assump- 
tions such as I > Imin, dw > 2(6 + Tf)^—^n holds. We require as well that for any v ^ TZ, P^(u) > 0. 
Formally, 

TZ — {v Cz V : V verifies 

dw > 2((5 + Tf) — - — n, 

P.(«) > 0} (158) 

remembering that I, Imin and d^ are all uniquely defined by Eve-Bob's view v. 

In the last section of this proof, a bound on the probability of the set of views TZCiV will be needed. 
We have, using Properties ^ and §, 

Pvin nV) < Pr(r< Trmn A n, > r^^TV) -f 

+ Pr(^-^<{5 + Tf)^-^n/^T>ln^nAn>rm^nN^ (159) 

We now prove the following properties on TZ, i.e. for 

v^{M,V,h{V),R,P,j)eTZ (161) 

where M = {J:,n{M),d{M),g{M)), S = {V,S,M) and P = {a,g(E),F,K,s). This implies for instance 
that d^ verifies d^ > 2{5 + t/) ^~^"- n in this section. It might be useful to realise that the following 
properties are exactly equivalent to the properties proved in the original paper [0 in which the sifted 
keys g{E) and h{E) are replaced by the single-photon encoded sifted keys g{E n M) and h{E n M). 

Property 7 

V« e 7^, V^ e {0, 1}™, |C,.,^(^uM)l = '^"'\Csr.,S(EuM)\ (162) 

Proof We remark that: 

^sME^M) - {2^ e {0, 1}^ : x{E U M) = g(E U M) and 

Fx{EnM) = s + Fg{EnM) (mod 2)} (163) 
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(+ and — are equivalent in arithmetics modulo 2), and 

Q.S,3(£uAf ) = {^ e {0, 1}^ : x{E U M) - g{E U M) and 

Fx{EnM) = s + Fg{EnM) (mod 2), 

kx{Er\M) = K+Kg{Er\M) (mod 2)}. (164) 

Now, for V (z TZ, d-uj > 0, that is, rows of K are linearly independent and each row of K is linearly 
independent of rows of F. Therefore Kx{E fl M) = K + Kg{E n M) (mod 2) introduces m additional 
linearly independent constraints in C--(;eua/)- Thus |C-j(bum)I = 2™|C- - -(;eum)I- ° 



Property 8 For any k G {0, 1}™ and v €z TZ, the mutual probability of the outcome (v, k) reads: 



Pvniv,K) = —-Pm.pr{M,P,R){4>v \Pg,fl,S(EUM)\(i>v) (165) 



where 

• PMPRiM.P.R) = J2x£Cg.-g^j,f PM.{M)PEgRFK\M.=M[a,x,R,F,K) is the probability that Al- 
ice announces P — (a, g{E), F, K, s), the box announces R and Eve-Bob get A4 thanks to the photon 
number splitting attack. 

• I "^{g^A), d{A))) = (8)ieA | ^(ffi, o,i)) G T^a for any set A d S , where Ha stands for the Hilbert space 
describing the photons in A. 

• Ps,,,^iEuM) = \c,J,^^,,,\ E.-ec,,,,,,^,,,, I *(^(^ n M), d{E n M))){^ix{E n M), d{E n M)) I 
. \4>v) = {^ig(EUM),d(EUM))\ 0,) € H^^j^. 

Note that in the above notation, M, P, R, Gg ^fj^^jf^j. and C-- n(E\jM) ^'^^ ^^^ given by v. 

Property 9 For any view v £TZ and for any operators V and W acting on the restricted space "H^f^jj C 
Ti-S, 

Pm{M)Tt{E,Im=mVpim=mW) = Pmpr{M,P, R){4>v |^P-3(^um)W^| 0„) (166) 

where 

• PsMEuM) - jcr;^ E,ec,,,,-^,,„ I *(^(^ n M), a(£; n m))){^{x{e n M), a(i? n M)) | 

• and other elements defined as previously. 

Proof Using Lemma |^ for p\ji^=mj ^(v k)\m.=m ^^^d £^i,|a4=ai> '^6 g^t (recall that A^ is given by 

v) 

Pvn{v,K) = P^(X)P„k:|a4=m(w,«) (167) 

= PM{M)Tr(Ei^y^fi)\j^^MP\Ad=M) (168) 

= Pm{M)Psrfk I Ai=M(a, R, F, if )Pg(C,..,..,-(^uM))Tr(i?„V^^P,-,,,~(^uAf)) (169) 
where 

Ps,fi,g(EuM) = TTTT^ Z V E Pa(a')|*(a',a))(*(f,a)| (170) 
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and 

(171) 
where 

Ps,g(EyjM) = p rr T Y. ^g{x)\^{x,d)){^{x,d)\. (172) 

Now V and W^ act only on Ti^^jj and for any x e C*- -,;g^j^^^ or C g ~ ^r^^j-^jy x{E\JM) — g{E\JM). 
Thus 

(*(f, a) |X| </.„) = (*(f(^ n M), a(£; n M)) \X\ ^y) (173) 

where X is V or W. Noting that P^ is uniform, for any x, we have Pg{x)/Pg{Cg ^ieum)) ~ ^/\^s qCEvjM) I 

andP^(f)/P^(C---(;EuAf)) = VIQ,K,g(BuM)l- Finally we use the identities P^(C'---(;EuAf)) = W^^gi'^s,g(EvjM)) 
and PA4(>^)PafiFi<:| A<=Ai(a, -R, ^, ^)Pg(Cs-g(BuA/)) = PA<Pfi(A4,P, i?). This concludes the proof. □ 
It follows that the marginal probability of w G "fe reads: 

P«(w) = ^M.{M)i:T{Ey\M.=MP\M=M) = ^M.Pr{M,P, R){^y \~Ps,g(EuM) I ^^)- (1^4) 

Finally, for any ket | x) G T^EnJi' ^"-"^ ^^^ '^ ^ i'^' -'^}™' '^^ denote by ry^fi{\ x)) the ratio: 

r.,.(|x))^ ^f'f!"^"f"^^;'f (175) 

whenever (x |Ps-,g(£uM)| x) > and r„,g(| x)) = 1 otherwise. 

It is easy to see that, for any view v E TZ, any key k and any ket | x) G '^EriM such that 
{x\~Ps,s(EuM)\x) >0 

E/l \x \X I Egg{0,l}"' Ps,K,g(EUM) I X) 
''i',k(U)) = ^-p — :: — rp (176) 

Kg{0,l}" \X\Ps,g(EUM)\X) 

= 2" (177) 

where we have used the identity X^fceto i}"* Psfi q(EuM) ^ "^"^Ps qfEuM) which follows directly from Prop- 
erty |. The identity EKG{oa}- '^'',^(1 0) = 2™ holds for (x \pg^g(EuM) | x) = as well. 

5.6.3 Quasi-independence of the key and the view on TZO C 

We are going to prove in this section that the probability of the joint event in which Eve-Bob get the 
view V and Alice gets the key k reads, provided v £ TZn C, 

Pv^iv, k) = TTy + rjy^ii (178) 

where 7r„ is independent of k and an upper bound is found on |77«,;;|. 

For any view v €TZ and any key value k G {0, 1}™, we have seen that (Property H), 

P-vn{v, k) - ^PmPr{M,P, i?)(0„ \ps,fl,g(EUM) I ^v) ■ (179) 
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Let n^(z) be the orthogonal projection onto the subspace Hw = Span{ ^{j,b)\ \d^^-^{j,h) > 



-j-j C "Hs- The minimum weight rf^ has been defined in Section 5^. As before, the partial view z is 
specified by the view v. Let Tlw{z) = 1 — n^(z). Then Tlw{z) and Hwiz) act non trivially only on "H^f^jj, 
and 

i't'v \Ps,fc,g(EuM)\'f>y) = (^i- |(n«,(z) + n,„(z))p-- -(^^j(,f)(n^(z) + n„(z))| <^„). (iso) 

Therefore, 

- (0„ |n^(z)p---(-g^j,^^n^(z)|0^,) . (181) 



We show that the first term in the rhs. in Equation (181) corresponds to the term independent of 



K and we derive a bound on the modulus of the remaining terms in the following parts. 
The term independent of the key 



Property 10 For any view v in TZnC, the first term in the rhs. of ( 181 ) is independent of k. This term 
will be denoted by TTy subsequently, for any v Cz TZH C. That is, 

TT. ""^^ ^Pmpr{M,P, R){^y |n„(z)p^^^^ -(3j^^,)n^(z)| 0,). (182) 

Proof We need the following identity: 
Lemma 4 

Vd,/3e{0,iy, (183) 

(*(a,6>nM))|p-.,(^,,,)|*(/3,6>nM))) = i.x I ['^^'^til^^ p^ ^g^ (184) 

where 9 is a vector in {0, 1}' such that GO = ^ I + Gg{E n M) (6 exists since |C- - nfEuM) I ^ ^ /"'" 



V e TZ). We recall that Q has been defined in Section 5.8 



Proof of the lemma First we need some definitions. For y S {0, 1} and for a G {+, x}, define 
the unitary operator Uy acting on a single photon Hilbert space: 

Vxe{0,l}, U!^\-^{x,a)) = \-^{x + v,a)) (185) 

It is easy to verify that on the opposite basis Uy acts as: 

U'^\^{x,^a)) = {-~lYy\^{x,^a)). (186) 

Likewise, for y € {0, 1}' define the unitary operator Uy acting on H^^jj as: 

Vxe{0,iy, Ug^^'"^"^'^\-i'{x,d{EnM)))^\^{x + y,a{EnM))). (187) 
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It is easy to see that t/2*- "^ Ms involutive, that is f/2*- ^ ' — U^ ^ ' '. Since bi = -^ai for 



i £ E f] M , we have, using equation (186) 



Vf, C/?^^*^'| *(f,6(^nM))) = (-i)"-^^| ■^{x,b{Er^M))). (188) 

Returning to our proof, we express /5- - qCEuM) (defined in Property |9|) , recaUing that G = ^ . 
Furthermore, we use the fact that for any ye {0, 1}', 

Gy^i i\+Gg{Ef^M)■^yee + C (189) 



where is a vector in {0, 1}' such that GO — { '_, j + Gg{Er\ M) (such 9 exists since C- - m'EuM) t^ '^)- 
This gives, recalhng that C ^ {Q\ , 

~PsESimM) = T7^ ^- 1 E \^(x{EC^M),d{EC^M))){^'{x{EC^M),a{EC^M()'^^{)) 

x(E\JM)=g(E\jM) 
GS(BnM) = (|) + 
+Gg{EnM) 

^ Y, \-^{y,S{Er\M))){-^{v,d{Er\M))\ (191) 



IQ,K.3(BUM)I ,^^^^^ 



^- 1 Y. I *(y + ^^' «(-^ n M)))(*(y + e; a(£; n M)) |, (192) 



IQ,B,g(BUM)l ^^^ 



and, using Equation ( |l88| ), for aU a, /3 G {0, 1} 



(v|/(a, 6(i? n M)) \~p,-,^^g^^M) I *(/3- K^ n M))) 

= (^(a, ^(i? n M)) I -^^- 1 5] C/f ^^^) I vl/(y, a(i? n M))) x 



IQ,K,S(BUM)I ^_^^ 



where 



y.(■^{y,a{Ef^M)) |C/!^^^*^^| *(/3, 6(£; n M))) (193) 

(-l)("+'^)-^"'(*(a, 6(^ n M)) |po| *(/3, K^ n M))), (194) 

PQ = — i- -Y\^{y,d{Er^M))){■^[y,d[EC^M))\ (195) 

Let q = dimC, and {6*1, . . . 9q\ be a basis of C. Let C^^-' be the span of {6'i, . . . 6'j} for j G {1, . . . g}. 
For J G {1, . . . g}, define p^^^ as: 

- E |*(^,a(£;nM)))(*(f,a(£;nM))|. (196) 






Sec(j) 
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We show by induction on j e {0, . . . q} that 



Va, (3 e {0, 1}', (*(d, b{E n M)) jp^^') | *(,9, b{E n Af ))) 



1/2^ if d + /3 e C(J)-L 



(197) 



Thus 



ifa + /3^C(j)-L. ■ 

For j = 0, we have C^°^ ^ {0} and C^^^^ = {0, 1}' and p^°'> = \ *(0, a{E n M)))(*(d, a(S n M)) 



vd,/3, (*(d,6(£;nM))|p(°)|*(^,6(^nM))) = i, 

2' 



(198) 



and (|197| ) holds (Recall a^ = ^6^ on ^ n Af ). 

Suppose ( pi?! ) holds for some j £ {0, ... g - 1}. Since C^^+i) = C'-J^ U (^j+i + C'^^), we have 



jj+i) 



■(^ E |*(2?,5(i?nA/)))(v|/(f,a(i?nAf)) 



SecU) 



-1 ^ \^{x,a{EnM))){'i'(x,a{EnM)) 



Thus, 



2 ^j+i ^j+i 



Va, /3, (*(a, 6(-B n A/)) |p(^'+i) | ^(/3, 5(£; n M))) 

= i(*(a,5(^nM))|p(J')|^(/3,5(£;nM))) (i + (-i)("+'^)-^''^+i) 

2 if a + /? e ^^+1 
if a + ^ ^ 0/+1 



(199) 
(200) 



(201) 



And since (197) holds for j, we get 



(*(a,6(^nAf))|p(^+i)|^(/?,^(snA.f))) = i ^/^' '^"~^ -!?!!!!' 



(202) 



which concludes our induction. Noting that C^''^ — C, \C\ ~ |C-- ^(eum)I' ^^ = ^' ^^"^ /"^^^ = POi foi' ^'^Y 
a, /3e{0,lV, 



{^a, 1{E n M)) |p,,^,(^,,,^ I np, Ae n Af ))) = i X 1 0^^^ (;!+ f ) f^ ^^ ^ .^ ^ ^^ 

which concludes the proof of the lemma. 

Now by definition of Q, for any vector 7 e ^, there exists a vector A-:;; G {0, 1}'"+™ such that 



(203) 



D 



A^G = 7 



(204) 



and the above property reads: 



(*(a, ~h{E n M)) 1/5,.,,, ,-(^uA/) I *(/3, ^(i? n Af ))) = i X J « ^^ (" + Z^) ^ ^ 



(_l)\.+«-((|)+'59(^nM)) j^ (^_(.^) g ^, 



(205) 
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To see that the first term in (181) is independent of /?, recaUing the definition of Ilyj{z), write 

{4>y |n^(^)p,-,K,gCEUA/)n";(2)| (i>v) 

Y, {4>.\^{a,kEnWj)){^{a,b{EnM))\p,^^^g^-E^^j^\^{PMEnM)))x 



S,(3€{0,iy\_ 

w{S-h(EnM))<d„/2 

w{J3-h{EnM))<d^/2 

X {^ip,b{EnM))\4>v) 

and the cf's and the /3's contributing to the above sum obey 

w{d + /3) < w{d - hiE n M)) + w{0 - h{E n M)) < d„ 



(206) 



(207) 



thus a + f5 ^ Q* (the set Q* has been defined in Section p-S] ). The o? and /? of the terms contributing 
in the sum are such that their sum is in Q (according to the previous lemma) but not in Q* . Since (by 
definition of Q*) for a + f3 £ Q \Q* , A- , ^ is of the form (?) where 2 G {0, 1}'', the terms 

(^„ I *(a, 6(i? n M))(*(a, 6(i? n M) |p,-,._^.(^u^,,) I *(/3, 6(i? n M^ 

^ I,(_l)W-((|)+<59(snM))^^^ *(a,^(^nM))\(*(/3,^(^nM))|0„) (208) 

2' / ' I 

contributing in the above sum (i.e. for q?+/3 e G\G*) does not depend on k. Therefore (0^ |nto(2)/5-g q(EuM)^wiz)\ (pv) 

does not depend on k. Now Pa<ph(-^i -P7 R) is independent of k since the m rows of K arc linearly inde- 
pendent between themselves and linearly independent of the rows of F (since d^, > on 7?. by definition 
(Eq. (^)). 



Therefore, the term in the rhs. of (182) is independent of k. This concludes the proof of the property. 



D 

The deviation from the key-independent term 

We now derive an upper bound on |Pgt,(K, v) — 7r„|. 

Property 11 For any v eTZCiL and n G {0, 1}™, define riy,K as 

Def , ^, 

The modulus of rfy^g is then upper bounded for any v £ TZH C and any k, G {0, 1}™ by 



(209) 



hi-.s! < ^P«(w) (r„^g(n„(z)| ^^,)) + r„^g(|0„))j 2J^Jg{5,Tf,pR,n) + ^g{5,Tf,pR,n) . (210) 



Proof For any v £TZC] C and k G {0, 1}™, we have from Equation ( 181 ), 



= -;^'Pm.Pr{M,P,R)\{4)v |n^(^)Ps-,K,g(BuM)| <^t') + {^v |Ps-,K.3(BuM)n«;(z)| 0^) - 



(211) 
(212) 
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Remarking that the second term in the bracket is only the complex conjugate of the first term, 
have 



we 



IVvM < i^Pj 



^'PMPRiM,P, R) \2 {4>^ |n^(2)p,-,K,g(£uM) 1 4'v) 

Now, the first term in the bracket verifies 



(213) 



< 



-1/2 



r£s(BuA./)n-(2)|<^-) 



-1/2 I 7 \ 



using the Schwartz inequality and the fact p- - ^Ceum) ^^ Hermitian non negative 

= \J{4>v |n»(^)p.-K,g(BuM)n™(2)| ^«) X yi'f'v \Ps,fl,g(EuM)\^v)- (215) 

Now recalling the definit 

'v\Pg,g(EUAI)\'f>>') (216) 

'm.Pr{M,P, R){4>v \Pg^g(EuM) I <l>v))- 

{4>v |nu,(z)p-- -(-E^j,^)n^(z)| ^„) = r^,,s[n„(z)| 0„)] (^„ |n^(^)p,-,j(-EuAf)n«,(z)| 0^) (2f7) 

(recall that if (^i, |n^(z)p-- ' ' ' ' - >— - 



lition of r^,^;;, we have 

{<Pv \Ps,kMEuM) I 't>v) = ?-,„,;; [| ^,„)] < 

since (^i, Ipj-j/bum) I 't'v) > 0, for any v £ TZ (Recall that P„(w) = P 
And 



_. „. — .. ^^,„ !„,„,, ^, ^--(;g^^^)n^,(z)| 0^,) = then {(f)^ |n«;(^)Ps-,s,g(BuAnn^(^)| ^^ ) = as well). 
The latter can be bounded using the small sphere property (Property |6|). li v ^ TZO C, 



= PMPR{M,P,R){(f>v |no(z)p^^^(£LjM)no(^)| (t'v) 

< Pv{v)ygi6,Tf,pR,n). 



(218) 
(219) 



Now for z £ TZ, ^ > ^2, thus fmn^(z) C Imno(z) (refer to the b 
that is Ilw{z) projects onto " "-""" „^„+„; — ^ ;„ <-i — „„ ..._,, 



^2, thus fmn^(z) C Imno(z) (refer to the beginning of Section 5.6.1) 
. ^^.-^ ^-_j _. space contained in the space on which 110(2;) projects. In other words 

Span{| *(j, 6)^ \dEnMij, h) > L/2} C Span{| ^(j, 6)^ IdEnJiil h) > ^2} 
Since p- mTsuM) ^^ Hermitian non negative, it implies that 



ng Property |6[ we have ' '^ r„ ,i™ , , „ . 

Pmpr{M,P,R){^,\U^,{2 



, , . - .,,,^„.,., - ., . , , - .5,-g-(BuM)no(z)|0„) 
Therefore, using Property ^ we have, Vk G {0, 1}™, Vu £ 7?. n £ 



Linking the results ( ^13 , ^15|216 2f7,221) together, we obtain 



(220) 
(221) 



VkG {0,f}"^V^;e7^n£, 



|%.«| < T^Py 



^PA4PK(A^,P,fl)[2j p^^^^_^|^^^^ y^g(J,rj,pfl,n)r.,;;(n^(z)|0.)) 



P.(t^) 



■5 77T^-^vs'('^>'r/>Pfl:")''«,K(n™(^)| <^«)) 



(222) 
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and using ((^„ |/5^- j(BuAf)| ^^ ) = Pv{v)/Pmpr{M,P,R), we get 
1 



\Vv,k\ 



< 



< 



< 



g{5,Tf,pR,n) X 'Jr^,RijVw{z)\ 0«))?-^,k(| (i>v)) + 



5('5, T/,pit,n)r„_g(n„(2:)|^„)) P„(w) (223) 

— max(^{r„,;;(ni„(z)|^^,)),r„,;;(|0.„))}j X 2J ^^g{S,Tj:,pR,n) + ^g{6,Tf,pR,n) P^^)l) 



1 r 



?'t,,«;(nu,(z)|0i,)) +r^,K(| 01,)) X [2\ Jg{S,Tf,pR,n) + Jg{S,Tf,pR,n)]P^{v). (225) 



This concludes our proof. 



a 



5.6.4 Bound on the conditional entropy 

In this section we conclude the privacy proof by deriving from the previous result the following property. 

Property 12 The conditional Shannon entropy of the key k given Eve's view v is lower bounded by 

H{K\v)>m~ ei{N,m) (226) 

where 



ti{N, m) = 2 ( m + ^ j h{6, Tf,pR, n) + 2^2 (m + ^ j mh{S, Tf,pR, n) + m (P„(7^ n P) + ?,(£ n V)) 

(227) 



h{S,Tf,pR,n) = 2J ^g{S,Tf,pR,n) + ^ g{5,Tf,pR,n) as defined previously. (228) 

Proof We first prove that for any strictly positive real number q and for any view v G 7?. n £, there 
exists a set /C„ c {0, 1}™ such that 

• |/C,|>2"(l-i),and 



• Vk e /Ci, , 



Pk.\v=v\I^) r,m. 



<^i2<l + 2)H5,rf,PR,n). 



(229) 



From that we prove the bound on the conditional entropy (Eqn.(226)). 

For any view v £ TZn C, summing over k G {0, 1}™ the joint probability Pk^(k, v) = ttu + rjy^fi, we 



get, using Property 10 






(230) 
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but 



^Vv,fl 



\ K K 



< 2P^{v)h{S,Tf,pii,n) 

using Property |ll| and the identity (^TTJ). 
Therefore, 



that is 



\P^{v) - 2"'tt,\ <2F^iv)hiS,Tf,pji,n) 



< \PnviK,v)~Try\ + \7r^- —Pv{v) 



- 'K^^->'(^)H^^V^PRi^) rv,iz{jlw{z)\4>v)] +r.u^ii{\(t>v)] +' 



(231) 

(232) 
(233) 

(234) 



(235) 
(236) 



\Pk\v=v{k) - ^I < -^H^^TfiPR^n) r^^fi \^w{z)\ (j)v)j +rv,K (| 0t,)j + 



Let a^^fi = r^, g(nu,(z)| ^„)) + r„ g(| (j)v)). Then using again identity (177), we have 



Ke{o,i}'" 



(237) 



(238) 



Let g be a strictly positive real number. Let C/ be a random variable taking value in {0, 1}™ with 
uniform probability distribution, i.e. Vk G {0,1}™, Pt/('?) = 1/2™. Then using Lemma || for U with 
/! = 2'"+\ we find that 



Pt/(/C,)>l-i 

q 



where the set ICv is defined by: 



/C, = « e {0, l}™ : a,,s < 2"+ig— - 2g 



Li other words. 



|/C.|>2™ 1-- 

q 



Let X be the set defined by 



I = 'JveTZnclCv X {v} C {0, 1}™ x Z. 



(239) 



(240) 



(241) 



(242) 
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and 



It follows that 



<^i^1 + ^MS,Tf,PR,n), 



veiznc 



= E 

vennc 

^ E 

veTZnc 



1 



P^(«) E P^ I "=!'('*) 



kG/C 



P-W E :^{l-{2q + 2)h{5,Tf,pn,n)) 



kG/C 



> ( 1 - - ) (1 - (2g + 2)/i(,5, Tf,pR, n)) P,(7^ n £) 



(243) 

(244) 
(245) 

(246) 
(247) 



> [i--)ii-i2q + 2)h{5,Tf,pR,n)){p^{r)-P4nnr)-P4cnr)) (248) 



> P„(7') -P^innV)- P^iC nV) i2q + 2)h{5,Tf,pR, n). 

q 



Now, 



H{k,\v) = -^Pflv{K,v)l0g2P fl\^=y{K) 



E Pi^v{ii,v)l0g2Pit\^^y{K) - ^ Pf^^{K,v)\og2Pfi\^^yiK) 

K.vev K,ve'P 



(249) 

(250) 
(251) 



For any v G V and k G {0,1}™, we have Pfi\v=v{K) = 1/2™ since Alice chooses randomly and 
independently the value for k when the validation test is not passed. Therefore, 



H{k\v) == mP^(-p)- Y^ PB„(K,w)l0g2PB I „=„(«) 



> mP^iV)- ^ Ps^(k, w)log2P^I^=t,(K) 
since for any v and k, — log2 Ps|„=t,(K) is nonnegative. Using the relation: 

y(K,v)eI, Ps\v=v(k) ^ —(l + £,IZ,v) 

where ^;?^„ < {2q + 2)h{S, Tf,pR, n) for any (/?, v) G I, we get 

HiK\v) > m{P,iV)+Pf.^{I))- J2 Ps.(«,«)log2(l + &,«) 

> mfl- P^innV) -P^(Cnr)---{2q + 2)h{5,Tf,pR, n] 



{2q + 2)h{S,Tf,pR,n) 



(252) 
(253) 

(254) 
(255) 

(256) 



In 2 

]^ \ jYi 

m-[m+^-::] {2q + 2)h{6,Tf,pR,n) m(P^(7^ n P) + P^(£ n P)) (257) 



In 2 
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where we used Equation (249) and the inequaUty log2(l + x) < p^ for any x > ~1. 



The above inequahty holds for any positive real number q > 1. Especially it holds for 



'^ ''2{m+^)hi5,Tf,pR,n) ^^^^^ 



obtained by maximising the rhs. in Eqn. ( 257 ). We therefore obtain the bound on the conditional Shannon 
entropy of the key k given the view v 

H{K\v)>m~ei{N,m) (259) 

where 



ei{N, m) = 2(m+ ^ j h{S, Tf,pR, n) + 2^2 (m + ^ j to/i((5, Tf,pR, n) + m (P„(7^ n T') + P.(£ n V)) 

(260) 
This concludes the proof of privacy. □ 
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A Appendix: Binomial Tail Inequalities 

The following properties have been used throughout this paper. 
Property 13 Let a be a positive number such that < a < ^- Then 



^ p\<2ffi(")" (261) 



n 
, i 

where IIi{a) — — alogj a — {I — a) log2(l — a) is the binary entropy function. 
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Property 14 Let p, t be positive number such that 0<p<p + t<l. Then 



E 



{p-\-t)n<i<n 



p'{1~pY'-' <e 



-2t'n 



(262) 



Property 15 Let p, t be positive number such that 0<p — t<p< 1. Then 



E 



0<i<{p-t)n 



y(l-p)""'<e 



-2t^n 



(263) 



Property 16 Let A be a set of size \A\. Let B be a set. Suppose each element of A is contained in B 
with probability p. Let t be a positive number such that 0<p — T<p<p + T<l . Then the probability 
that B contains more than (p + t)\A\ elements of A (i.e. \An B\ > (p + t)\A\) is bounded by 

PT{\Ar\B\ > {p + t)\A\) <cxp[-2t2|A|]. (264) 

Likewise, the probability that B contains less than (p — t)\A\ elements of A is bounded by 

Pr(|AnS| < {p-t)\A\) <cxp[-2r2|A|]. (265) 

Proof pJ Suppose 0<p<p + t<l,q — 1— p. For any a; > 1, we have 



E 

k<i<7i 



pT-' 



< 



< 



< 



E 

k<.i<.7i 

E 

0<J<TI 



p'q"-'x'-^ 



p^gn-^^^-/c 



^(i + P'^Y' 



1 



^{p+t)n 



[q+pxf 



where k ~ \{p + t)n~\ . The minimum of the last expression as function of x (x > 1) is reached for 



q{p+t) 
p(q~t) 



TT and the above inequahty gives 



E 



p'q''-' < 



, p+t / \ q—t 



P + t 



q-t 



(266) 



k<i<n 

The inequality above reads, for j? = 1/2 (therefore^ = 1/2) andt ~ /3— 1/2 where/? = 1— a G [1/2, 1], 



E 

f3n<i<n 



< 2"'*('3). 



(267) 



Using the identity 



i J [n — i)\i\ \n — i 



(268) 



45 



and remarking that Hi{a) = Hi{l — (3) = Hi{[3), we get Property O: 



Let's write (266) as 



Y, Wp^g"-' < e"9(*) 

k<i<n ^*^ 



(269) 



(270) 



where 



m = In 



^ P+t / \ q-t 



,P + tJ \q-t, 
Then g is C°° on [0,g[, and applying Taylor's formula at order 2, we get 

g{t) = .g(0) + tg'iO) + f g" {u){t ~ u)du. 



(271) 



(272) 



It is easy to check that g{Q) = g'{0) = and that g"{u) 



h _ s < —4 for any u e]0, q[. Therefore 



(p+u)(?-«) 



g{t) = / g"{u){t^u)du 
Jo 

< -4: {t- u)du 

Jo 

< -2t^. 

Since the exponential function is monotonically increasing, we get 



M < e-2t^ 



therefore 



E 



{jp-\-t)n<i<.n 



i ^n—i ^ „ — 2t n 



p'q"- ' < e 



(273) 



(274) 



which gives Property |lj. 



Suppose now that 0<p — t<p< 1. Using the Identity (268), we get 



E 



0<i<(p-t)n 



P'q"-' 



E 



0<i<{p-t)n 



E 



n— {p—t)n<j <n 



q-'Y 



qjpn-j 



E 



{(i'^t)n<.j<.n 



q'p"-', 
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where 0<q<q + t< 1. Applying Property U4, we get 



J2 (;)pHl-pr-^<e-''- (275) 

0<i<{p-t)n 



which concludes the proofs for the binomial tail inequalities. We now prove Property 16L 
The probability that B contains exactly k elements of A, ioi < k < \A\, reads 

Pr{\AnB\=k)= ['^']/(l-p)l^l"^ (276) 

Therefore, the probability that A contains more than {p + t)\A\ elements of A reads 

Pr{\AnB\>{p + T)\A\) = Y^ Pr{\AnB\ = k) (277) 

{p+T)n<k<\A\ 






(278) 

(p+T)n<k<\A\ 

< exp[-2T2|^|], (279) 



using the binomial tail inequality (Property Oh. Likewise, the probability that A contains less than 
{p ^ ''')\^\ elements of A reads 

PT{\AnB\<{p~T)\A\) = E Pii\An B\=k) (280) 

0<k<{p-T)\A\ 



E ('^')/-(i-P)i^i-'= 



(281) 

0<k<{p-T)\A\ 

< exp[-2T2|A|], (282) 



using the binomial tail inequality (Property Iq) . This concludes the proof. □ 
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